MrbMiner is a new detected attack campaign that came into the light of the security researchers. The attack targets the Microsoft SQL Servers (MSSQL) that delivers cryptomining malware.
New MrbMiner Malware Infected Thousands of MSSQL Servers
The experts claim that the attack has compromised more than thousands of MSSQL servers. According to the cyber security team of Chinese tech giant Tencent, they dubbed the malware group as MrbMiner. The name is given as it was one of the domains used by the hacker’s group that was used to host the malware.
According to Tencent, the malware spreads by scanning the web to extract the MSSQL servers and then perform the brute-force attacks. As a rule, in the brute-force attack the hackers hit and try admin accounts having weak passwords.
If it manages to breach in, the botnet firstly drops a file named as ‘assm.exe.’ To achieve persistence, the malware establishes a gateway for the attackers by adding a backdoor account. The account uses “Default” as username and a password as “@fg125kjnhn987.”
The main motive of the attack is to target the deliver the crypto-mining malware that stealthily mines the Monero coins. For this, the malware silently establishes the command and control server and downloads the mining app for Monero (XMR).
The app abuses the local server resources to mine the crypto-currency. Further, generating the XMR coins directly goes to the wallets owned by the hackers.
Researchers also discovered Variants targeting LINUX Systems
While tracking the MSSQL malware variant, Tencent also found that the MrbMiner C&C server contains the versions targeting Linux servers and ARM-based systems.
The variant had a Monero wallet address that was used to keep the generated funds. The wallet address had around 3.38 XMR coins (~$300), that is being actively distributed for further attack campaigns.
While, the Monero wallet deployed by the variant of MbrMiner version targeting MSSQL servers stored 7 XMR (~$630).
According to the researchers, the mining groups are using multiple wallets for their attack campaign, to generate larger profits.
What To Do?
Experts advise the system administrators to scan their MSSQL servers to locate the presence of Default/@fg125kjnhn987 backdoor account. If found, they should do full network audits.
Also, users should scan their system with anti-malware like HitmanPro.Alert to remove all malicious entries to attain full security.
HitmanPro.Alert is an advanced anti-malware program that takes on proactive approach towards threat behavior and its activities. This is a real-time malware program that delivers protection from latest threat. Including crypto-miner, ransomware, exploits, spyware, risks related to online transactions.
Thus, running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity and alerts or any suspicious activity. So that you can have a safe browsing and online transactions. Read the full review of HitmanPro.Alert here.
- Click on the provided link to download HitmanPro.Alert anti-malware;
- Now, open the download folder to locate “hmpalert3”;
- Click on it, to begin the installation;
- It will ask your User Account control, if prompted click on “yes”; The download should begin shortly. HitmanPro.Alert window will appear, where you need to choose the options:
- Choose Protection level as Maximum
- And tick the other boxes and finally click on “Install”.
- HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
- After the installation is complete, the scan will start. First scan may take up some minutes, as it will scan the whole computer.
- The scan results are here. Carefully look down the list. You can here, the scan has found 1 Riskware and thousands of traces which can be risky.
- You can select the threat to delete, quarantine, ignore or, mark as safe. If you want to remove all the threats, then simply click on the “Next” button below.
- HitmanPro.Alert first creates a restore point and then starts the removal process. This helps to recover from any damage.
This is the removal process with HitmanPro.Alert.