MrbMiner

Cybercriminals continue to try and exploit different systems to plant their threatening software on them. One of the latest cybercrime gangs to participate in such a campaign is using a brand new piece of malware dubbed MrbMiner. So far, active copies of the threat have only been found on MSSQL servers whose security was probably compromised by the criminals. It is not clear what infection vector or attack technique they use, but it is very likely that they are scanning the Internet for unsecured MSSQL servers that use weak login credentials. It seems like these brute-force attacks are surprisingly efficient since many cryptocurrency mining gangs rely on them.

The MrbMiner Gang Compromises MSSQL Servers to Mine for Monero

If the MrbMiner gang manages to penetrate a server's security successfully, they will make sure to gain boot persistence by setting up a new backdoor account with full permissions. According to a cybersecurity report, the criminals are always using the same fake account – 'Default' with the password '@fg125khnhn987.' Once all of these things are taking care of, the hackers proceed to plant a Trojanized XMR (Monero) miner. The software will hog a lot of CPU resources to mine XMR coins that will be transferred to the attackers' wallets. During this time, the victims are likely to experience major performance issues since all of their server's resources will be hijacked by the MrbMiner.

So far, the MrbMiner has generated around 7 XMR ($630) for its creators, but the sum is likely to extend in the next few weeks. One way to make sure that the MrbMiner is not present on your MSSQL server is to check for the presence of the account mentioned above. Of course, the better option is to run an up-to-date anti-virus tool that will ensure the full removal of any threatening software.