A hacker group is launching brute-force attacks on MSSQL servers with weak passwords to compromise them and install crypto-mining malware.
The security firm Tencent who had detected the new type of mining Trojan family MrbMiner stated that thousands of MSSQL databases have been infected so far.
Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.
The hackers blasted in through the weak password of the SQL Server by using a botnet. After getting access to the system, they downloaded an initial assm.exe file to achieve persistence and to add a backdoor account for future access.
The researchers found an account with the username “Default” and a password of “@fg125kjnhn987.” After creating an account, the malicious code connects to the command and control server to download a Monero (XMR) cryptocurrency miner that runs on the local server.
The Monero wallet used for the MbrMiner version deployed on MSSQL servers contained 7 XMR (~$630).
The researchers also discovered that the MrbMiner C&C server contained variant of the MrbMiner malware written to target Linux servers and ARM-based systems.
As of now only attacks on MSSQL servers has been observed, but the analysis of the Linux version revealed a Monero wallet containing 3.38 XMR (~$300), suggesting that the Linux versions were also employed in the campaign.
The researchers published the Indicators of Compromise for this campaign. The system admins are required to check their MSSQL servers for the presence of the Default/@fg125kjnhn987 backdoor account.
If such an account is found in their systems, a full network audit is recommended.
Image Credits : Personal Financial