SQL Server, MrbMiner the new malware that infects SQL Server!

Hello friends,


Today we will talk about security because it is a recent new that a new malware is  trying to infect SQL Server. Its name is MrbMiner.

The goal is always the same: installing a Cryptominer in order to use the power of the server to mine cryptocurrency!

We have already talked about security here

Enyoj the reading!

 

The new malware that infects SQL Server has a name, its name MrbMiner.

Its goal is to install on your server a cryptominer.

According to the chinese tech giant Tencent over thousands SQL Server databases have been infected!

 

How does it work?

This malware spreads exclusively by scanning the internet for SQL servers and performing a brute force attack by repeatedly trying the administrator account with weak passwords.

If the MrbMiner malware gains access to the system, it downloads a file called assm.exe, saving it in C: / Program Files / Microsoft sql server / mssql **. Mssqlserver / mssql / data / sqlmanagement / assm.exe or C: /Windows/temp/slqmanagement/assm.exe

Once executed the assm.exe once does many things..

Contact the mrbfile.zyz server at vihansoft.ir and port 3341 and download the SqlServer.dll file that contains the Trojan in the path http://mrbfile.xyz/sql/SqlServer.dll.

The Trojan is then unzipped and executed.

When executed the program analyzes the configuration of the current machine, counting the number of CPUs it has, and connects them individually to different internal ports to which the Monero Miner connects.

To ensure that it remains hidden during a routine check, a function has been implemented inside it that stops the mining process and cleans the offending files when Task Manager is opened.


To create a persistence, even if you decide to delete the files directly, the process downloads two additional installers called installservice.exe and PowerShellInstaller.exe which in turn download (if necessary) the Monero Trojan Miner. The logs are also modified and an entry with the name Windows Host Service is added.


Finally it adds a backdoor account for future access. The backdoor account has the username "Default" and a password of "@ fg125kjnhn987".

 

How to test if you SQL Server is infected?

You should scan our SQL Servers for the presence of the Default/@fg125kjnhn987 backdoor account.

With the T-SQL command below you can test if you have an user called ‘Default’

 

       

SELECT

      [name],

      [type_desc],

      is_disabled,

      create_date,

      modify_date

FROM sys.server_principals

ORDER BY modify_date desc

In case you find a system with this account configured you should call a system administrator or an SQL Server Expert.

 

That's all for Today!
Luca











Previous post: SQL Server // Do you want to lean how to pivot data in 5 minute?

 

 

 

 

 

Comments

  1. UnknownDecember 4, 2020 at 6:36 PM

    Thank you so much for your valuable blog. Can you please guide what's the next step to resole this issue?

    ReplyDelete

Post a Comment

I Post più popolari

SQL Server, execution plan and the lazy spool (clearly explained)

Image
Hi Guys, Welcome back! In one of the last posts we talked about Table Spool . We had explained what Spool are for by telling the somewhat curious story of the halloween problem . Here we specifically talked about a type of spool called Eager Spool   You can look to the execution plan below where the eager Spool is used to avoid the halloween problem in classic query of the "salary increase".. i suggest Well, if the story of the eager spool intrigued you, today instead we will speak about another type of Spool, the Lazy Spool . The Lazy spool Let's take a small step back. So, what is a Spool operation?  As we have already understood a spool operation is simply a temporary storage of data . Data are read from a source table and stored inside a worktable in the Tempdb database . While an Eager Spool is used to prevent the Halloween problem, the Lazy Spool is instead used to store data that will later be needed again when running a query . So, when a Lazy spool is used?    I
Read more

SQL Server, datetime vs. datetime2

Image
Hi guys, This time, in this post we will speak about datetime and datetime2 datatypes. We will talk about the pros and cons. We will talk about all the differences between the two types of data. Write me in the comments which type of data do you prefer between the two. Enjoy the reading!     Datetime Vs. Datetime2 First of all, it must be said that the datatype datetime is certainly the best known native format for storing a date in SQL Server. However, Microsoft has also been introducing a new type of data for many years now, also used to manage dates. It is in fact from SQL server 2008 that it is present in datetime2 data type. This "new" type of data was born primarily to have higher accuracy . Let's in fact talk about ... precision ! Datetime Certainly the datetime data type is not very precise and certainly there are many cases in which its precision is simply not sufficient. Let's see it with an example. Open the SQL Management studio (SSMS) and write the fo
Read more

La clausola NOLOCK. Approfondiamo e facciamo chiarezza!

Image
Ehi ragazzi! La domanda è di quelle importanti! Siete pronti per scoprire tutto ma proprio tutto sulla clausola NOLOCK?   Se la riposta è si, allora seguitemi! Oggi ne spiegheremo il funzionamento in maniera approfondita. Faremo una introduzione al concetto di tipi di LOCK Ed infine vedremo come mai una SELECT ne può bloccare un'altra. Non vi nascondo che il motivo di questo articolo è fare chiarezza. Su questo argomento si sentono spesso affermazioni “curiose” ma tra le tante questa è la prima: “ uso la SELECT con l’opzione WITH(LOCK) così non blocco le altre tabelle ”.   Ma, è proprio vero quanto affermato? Beh oggi facciamo il punto!   Buona lettura!     La clausola NOLOCK Diciamo subito per iniziare che cos’è la NOLOCK. NOLOCK è il nome di una clausola che è possibile specificare all’interno di uno statement di tipo SELECT utilizzando la seguente sintassi: SELECT * FROM TABELLA WITH (NOLOCK) Si noti che non possiamo utilizzare questa cl
Read more