SQL Server, MrbMiner the new malware that infects SQL Server!

Hello friends,


Today we will talk about security because it is a recent new that a new malware is  trying to infect SQL Server. Its name is MrbMiner.

The goal is always the same: installing a Cryptominer in order to use the power of the server to mine cryptocurrency!

We have already talked about security here

Enyoj the reading!

 

The new malware that infects SQL Server has a name, its name MrbMiner.

Its goal is to install on your server a cryptominer.

According to the chinese tech giant Tencent over thousands SQL Server databases have been infected!

 

How does it work?

This malware spreads exclusively by scanning the internet for SQL servers and performing a brute force attack by repeatedly trying the administrator account with weak passwords.

If the MrbMiner malware gains access to the system, it downloads a file called assm.exe, saving it in C: / Program Files / Microsoft sql server / mssql **. Mssqlserver / mssql / data / sqlmanagement / assm.exe or C: /Windows/temp/slqmanagement/assm.exe

Once executed the assm.exe once does many things..

Contact the mrbfile.zyz server at vihansoft.ir and port 3341 and download the SqlServer.dll file that contains the Trojan in the path http://mrbfile.xyz/sql/SqlServer.dll.

The Trojan is then unzipped and executed.

When executed the program analyzes the configuration of the current machine, counting the number of CPUs it has, and connects them individually to different internal ports to which the Monero Miner connects.

To ensure that it remains hidden during a routine check, a function has been implemented inside it that stops the mining process and cleans the offending files when Task Manager is opened.


To create a persistence, even if you decide to delete the files directly, the process downloads two additional installers called installservice.exe and PowerShellInstaller.exe which in turn download (if necessary) the Monero Trojan Miner. The logs are also modified and an entry with the name Windows Host Service is added.


Finally it adds a backdoor account for future access. The backdoor account has the username "Default" and a password of "@ fg125kjnhn987".

 

How to test if you SQL Server is infected?

You should scan our SQL Servers for the presence of the Default/@fg125kjnhn987 backdoor account.

With the T-SQL command below you can test if you have an user called ‘Default’

 

       

SELECT

      [name],

      [type_desc],

      is_disabled,

      create_date,

      modify_date

FROM sys.server_principals

ORDER BY modify_date desc

In case you find a system with this account configured you should call a system administrator or an SQL Server Expert.

 

That's all for Today!
Luca











Previous post: SQL Server // Do you want to lean how to pivot data in 5 minute?

 

 

 

 

 

Comments

  1. UnknownDecember 4, 2020 at 6:36 PM

    Thank you so much for your valuable blog. Can you please guide what's the next step to resole this issue?

    ReplyDelete

Post a Comment

I Post più popolari

SQL Server, execution plan and the lazy spool (clearly explained)

Image
Hi Guys, Welcome back! In one of the last posts we talked about Table Spool . We had explained what Spool are for by telling the somewhat curious story of the halloween problem . Here we specifically talked about a type of spool called Eager Spool   You can look to the execution plan below where the eager Spool is used to avoid the halloween problem in classic query of the "salary increase".. i suggest Well, if the story of the eager spool intrigued you, today instead we will speak about another type of Spool, the Lazy Spool . The Lazy spool Let's take a small step back. So, what is a Spool operation?  As we have already understood a spool operation is simply a temporary storage of data . Data are read from a source table and stored inside a worktable in the Tempdb database . While an Eager Spool is used to prevent the Halloween problem, the Lazy Spool is instead used to store data that will later be needed again when running a query . So, when a Lazy spool is used?    I
Read more

SQL Server, datetime vs. datetime2

Image
Hi guys, This time, in this post we will speak about datetime and datetime2 datatypes. We will talk about the pros and cons. We will talk about all the differences between the two types of data. Write me in the comments which type of data do you prefer between the two. Enjoy the reading!     Datetime Vs. Datetime2 First of all, it must be said that the datatype datetime is certainly the best known native format for storing a date in SQL Server. However, Microsoft has also been introducing a new type of data for many years now, also used to manage dates. It is in fact from SQL server 2008 that it is present in datetime2 data type. This "new" type of data was born primarily to have higher accuracy . Let's in fact talk about ... precision ! Datetime Certainly the datetime data type is not very precise and certainly there are many cases in which its precision is simply not sufficient. Let's see it with an example. Open the SQL Management studio (SSMS) and write the fo
Read more

How to solve EXECUTE Permission denied on object 'sp_send_dbmail'

Image
Hi guys, Welcome back ! Today a light five minute post to talk about this error: EXECUTE permission denied on object 'sp_send_dbmail', database 'msdb', schema 'dbo'. ..or in italian language: Autorizzazione execute negata per l'oggetto 'sp_send_dbmail' del database 'msdb' con schema 'dbo' The sp_send_dbmail You know that this stored procedure is used to send a mail through SQL server. You know also that this stored procedure is contained into the MSDB system Databases. But if you get the error above? What can you do? How to solve the execute permission denied on sp_send_dbmail You should consider that: Your user must be in the MSDB database.  Your user must be also member of the DatabaseMailUserRole .  You can solve the problem in this way: 1) In the Object Explorer of the SQL Server management Studio, locate the Security / Account menu. Locate your user and do a double click on it. 2) In the opene
Read more