A new dangerous attack campaign has been detected by security researchers involved in the distribution of the MrbMiner malware which is programmed to infect MSSQL databases. They are part of enterprise and company sites and are used to contain sensitive information and important site values. The nature of the attacks and the fact that many portals have been compromised shows that the hacking group behind it is possibly very experienced.
MrbMiner Malware Leveraged Against MSSQL Databases
MSSQL databases appear to be under attack by a new devastating attack campaign. This time it is a dangerous malware called MrbMiner which is devised by an experienced hacking group. At this moment there is no information available about the identity of the criminals behind it. The name was given to the virus after one of the domain names which was registered to spread it.
The attacks using a botnet approach — numerous computers and hacked hosts are tasked with the goal of automatically identifying accessible database servers on a given network. If such is found an automated script will be invoked which will attempt to leverage various security exploits. The main technique used is the brute force attempts that will use a dictionary or algorithm-based lists of usernames and passwords of the administrative users.
As soon as the MrbMiner Malware is deployed on a given computer a preset execution sequence will start. The first action in the current version is to download a assm.exe file from a remote server. It will prepare the environment by instituting a persistent installation. The virus files will be launched every time the computer is powered on. In addition, it can block access to the recovery boot options which will make it very difficult to follow most manual user removal guides.
According to the research reports the attacks are currently tweaked and will probably change in the near future. They are particularly useful for spreading dangerous malware such as the Qbot Trojan.
Additional MrbMiner Malware Capabilities
An additional step is the installation of a Trojan module. It is used to keep a connection to the hacker-controlled server. It is used to take over control of the systems and steal any files and data from the hacked hosts. Usually, database servers are built on top of enterprise-grade and performance-optimized servers. For this reason, the hackers behind the ongoing campaign have decided to implement another dangerous action – to deploy a cryptocurrency miner. This is a script configured to download multiple performance-intensive complex tasks onto the infected servers. They will run automatically which will have a crippling effect on the usability of the systems. For every reported and completed the job the hackers will receive cryptocurrency assets as a reward.
The code analysis of the collected samples shows that the virus is cross-compiled to be compatible with Linux systems and the ARM architecture. This means that the malware can also run on devices that are used in IoT environments, production facilities and etc.
This also leads us to believe that the hacking group may be pursuing a much larger attack in the near future. This fact prompted the analysts to continue looking and they discovered that the malware funds generated by the miner module were forwarded to a Monero wallet. The transactions that have been sent to it currently amount to about 300 USD. This suggests that the Linux attacks have recently been started.
At the moment for most of the attacks, the researchers note that there is a way to find out if your MSSQL has been affected. System administrators can search for the presence of a backdoor account with the name of Default/@fg125kjnhn987.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: