Home » New MrbMiner Malware Infected Thousands of MSSQL Servers
Cyber Attack

New MrbMiner Malware Infected Thousands of MSSQL Servers

New MrbMiner Malware Infected Thousands of MSSQL Servers
New MrbMiner Malware Infected Thousands of MSSQL Servers

MrbMiner is a new detected attack campaign that came into the light of the security researchers. The attack targets the Microsoft SQL Servers (MSSQL) that delivers cryptomining malware.

New MrbMiner Malware Infected Thousands of MSSQL Servers

The experts claim that the attack has compromised more than thousands of MSSQL servers. According to the cyber security team of Chinese tech giant Tencent, they dubbed the malware group as MrbMiner. The name is given as it was one of the domains used by the hacker’s group that was used to host the malware.

According to Tencent, the malware spreads by scanning the web to extract the MSSQL servers and then perform the brute-force attacks. As a rule, in the brute-force attack the hackers hit and try admin accounts having weak passwords.

If it manages to breach in, the botnet firstly drops a file named as ‘assm.exe.’ To achieve persistence, the malware establishes a gateway for the attackers by adding a backdoor account. The account uses “Default” as username and a password as “@fg125kjnhn987.”

Attack Propaganda

The main motive of the attack is to target the deliver the crypto-mining malware that stealthily mines the Monero coins. For this, the malware silently establishes the command and control server and downloads the mining app for Monero (XMR).

The app abuses the local server resources to mine the crypto-currency. Further, generating the XMR coins directly goes to the wallets owned by the hackers.

Researchers also discovered Variants targeting LINUX Systems

While tracking the MSSQL malware variant, Tencent also found that the MrbMiner C&C server contains the versions targeting Linux servers and ARM-based systems.

The variant had a Monero wallet address that was used to keep the generated funds. The wallet address had around 3.38 XMR coins (~$300), that is being actively distributed for further attack campaigns.
While, the Monero wallet deployed by the variant of MbrMiner version targeting MSSQL servers stored 7 XMR (~$630).

According to the researchers, the mining groups are using multiple wallets for their attack campaign, to generate larger profits.

What To Do?

Experts advise the system administrators to scan their MSSQL servers to locate the presence of Default/@fg125kjnhn987 backdoor account. If found, they should do full network audits.

Also, users should scan their system with anti-malware like HitmanPro.Alert to remove all malicious entries to attain full security.

HitmanPro.Alert

HitmanPro.Alert is an advanced anti-malware program that takes on proactive approach towards threat behavior and its activities. This is a real-time malware program that delivers protection from latest threat. Including crypto-miner, ransomware, exploits, spyware, risks related to online transactions.

Thus, running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity and alerts or any suspicious activity. So that you can have a safe browsing and online transactions. Read the full review of HitmanPro.Alert here.

Steps To Install And Run HitmanPro.Alert

  • Click on the provided link to download HitmanPro.Alert anti-malware;
    Download HitmanPro.Alert
    Download HitmanPro.Alert
  • Now, open the download folder to locate “hmpalert3”;
  • Click on it, to begin the installation;
  • It will ask your User Account control, if prompted click on “yes”; The download should begin shortly. HitmanPro.Alert window will appear, where you need to choose the options:
Click on Install
Click on Install
  • Choose Protection level as Maximum
  • And tick the other boxes and finally click on “Install”.
  • HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
HitmanPro Scan Process
HitmanPro Scan Process
  • After the installation is complete, the scan will start. First scan may take up some minutes, as it will scan the whole computer.
    HitmanPro Scanning
    HitmanPro Scanning
  • The scan results are here. Carefully look down the list. You can here, the scan has found 1 Riskware and thousands of traces which can be risky.
    AV Threat Detection
    AV Threat Detection
  • You can select the threat to delete, quarantine, ignore or, mark as safe. If you want to remove all the threats, then simply click on the “Next” button below.
    AV Threat Removal
    AV Threat Removal
  • HitmanPro.Alert first creates a restore point and then starts the removal process. This helps to recover from any damage.
    Delete Threats
    Delete Threats

This is the removal process with HitmanPro.Alert.

About the author

UnboxHow Team

If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with us directly on Google Plus, Facebook or Twitter. We would love to hear your thoughts and opinions on our articles directly.

Add Comment

Click here to post a comment