The cybersecurity wing of Tencent has discovered a new malware gang named MrbMiner, who are hijacking Microsoft SQL servers for installing a cryptocurrency miner. The malware is gang is backtracked to check the author and found two other malwares crafted for targeting Linux servers and ARM-based systems.
Brute Force Attacks on Microsoft SQL Servers
Hackers have never left an opportunity that lets them into other systems. One of the common types of penetrating into one’s systems is brute-forcing the login page. This includes targetting an account that’s having weak or easily guessable credentials with a set of old and relatable credentials to gain access.
An incident if such is discovered by Tencent’s cybersecurity wing, and reported earlier this month. They named the spotted malware group as MrbMiner, after finding a domain they’re using to host their malware. They start by scanning the internet for Microsoft SQL servers, and brute force attack on weak accounts to gain unauthorised access.
After gaining access, they then install an assm.exe file to set a backdoor account for future access and also to gain reboot persistence. Tencent researchers said the account the malware gang tried hijacking has credentials “Default” as username and “@fg125kjnhn98” as password. The next and last step is the installation of a Monero cryptocurrency miner, which is sourced from hacker’s C2.
Researchers have tracked back the malware to hacker’s C2 and found two other variants of this malware intended for hacking Linux servers and ARM-based systems. While more about these aren’t known yet, researchers said the cryptocurrency wallet linked to Linux servers has about 3.38 XMR, hinting that it’s already in operation.
Also, the Monero wallet linked to Microsoft’s SQL servers has about 7 XMR. While these may look small, it should be assumed as hackers would be having several wallets linked to their malwares to procure the minted coins, which could be larger when summed up.
