Specialists of the Chinese company Tencent Security told about malware MrbMiner, which is used to install cryptocurrency miners on Microsoft SQL (MSSQL) servers. According to experts, thousands of MSSQL databases have already been infected.
The researchers also named the group behind these attacks MrbMiner, after one of the domains used by cybercriminals to host malware.
Experts write that the botnet is expanding solely by scanning the Internet in search of MSSQL servers and subsequent brute force attacks on them. Attempts to use an administrator account with various weak passwords have also been seen on numerous occasions.
Having penetrated the system, the attackers download the assm.exe file, which they then use to gain a foothold in the system and create a new account, which is a backdoor for future access. This account typically uses the username Default and the password @ fg125kjnhn987. The last stage of the infection is to connect to the C&C server and download an application that extracts Monero (XMR) cryptocurrency using the power of the infected system.
Although so far Tencent Security experts have observed attacks only on MSSQL servers, they write that the MrbMiner control server contains other malware, including for Linux and ARM-based systems.
After examining MrbMiner for Linux, experts found out the address of the wallet to which the malware transferred Monero. The wallet contains 3.38 XMR (about $ 300), which means Linux malware is already in use, although the details of these attacks are still unknown. In turn, the wallet used by the MSSQL version of MbrMiner contains 7 XMR (about $ 630). Although these amounts are small, mining hackers typically use multiple wallets for their operations, so the MbrMiner group is likely to make more profits as well.