The cybersecurity wing of Tencent has discovered a new malware gang named MrbMiner, who are hijacking Microsoft SQL servers for installing a cryptocurrency miner. The malware is gang is backtracked to check the author and found two other malwares crafted for targeting Linux servers and ARM-based systems.
Brute Force Attacks on Microsoft SQL Servers
Hackers have never left an opportunity that lets them into other systems. One of the common types of penetrating into oneโs systems is brute-forcing the login page. This includes targetting an account thatโs having weak or easily guessable credentials with a set of old and relatable credentials to gain access.
An incident if such is discovered by Tencentโs cybersecurity wing, and reported earlier this month. They named the spotted malware group as MrbMiner, after finding a domain theyโre using to host their malware. They start by scanning the internet for Microsoft SQL servers, and brute force attack on weak accounts to gain unauthorised access.
After gaining access, they then install an assm.exe file to set a backdoor account for future access and also to gain reboot persistence. Tencent researchers said the account the malware gang tried hijacking has credentials โDefaultโ as username and โ@fg125kjnhn98โ as password. The next and last step is the installation of a Monero cryptocurrency miner, which is sourced from hackerโs C2.
Researchers have tracked back the malware to hackerโs C2 and found two other variants of this malware intended for hacking Linux servers and ARM-based systems. While more about these arenโt known yet, researchers said the cryptocurrency wallet linked to Linux servers has about 3.38 XMR, hinting that itโs already in operation.
Also, the Monero wallet linked to Microsoftโs SQL servers has about 7 XMR. While these may look small, it should be assumed as hackers would be having several wallets linked to their malwares to procure the minted coins, which could be larger when summed up.
