Security Advisories & Alerts: MrbMiner

A threat actor is launching brute-force attacks on MSSQL servers in the attempt to access them to install a new crypto-mining malware dubbed MrbMiner.
According to security firm Tencent, the team of hackers has been active over the past few months by hacking into Microsoft SQL Servers (MSSQL) to install a crypto-miner.
According to the researchers, for the spread of the botnet, it was done scan to Internet for vulnerable MSSQL servers. Then it was done brute-force attacks in order to gain access to the administrator account.
After the initial login, the hackers downloaded one assm.exe file, which they used to create a “(re) boot persistence mechanism”And add one backdoor account for future access. According to the researchers, this account has the username “Default” and password “@ fg125kjnhn987.”

The infection process is completed with connect to the command and control server and download a crypto-miner application stealing Monero (XMR), using illegal server resources and creating XMR currencies in accounts controlled by them hackers.

Tencent Security researchers say they have so far only seen MSSQL databases infected. However, they found that the MrbMiner C&C server contained malware versions designed to target Linux servers and ARM-based systems.

System administrators must scan their MSSQL databases to check if there is a backdoor account with credentials: Default / @ fg125kjnhn987. If they find such a thing, they should immediately check the whole network.

IOCs

IP
145.239.225.15
145.239.225.18

Domain

mrbfile.xyz
vihansoft.ir

C&C

vihansoft.ir:3341

URL

http[:]//mrbfile.xyz/Hostz.zip
http[:]//mrbfile.xyz/PowerShellInstaller.exe
http[:]//mrbfile.xyz/sql/SqlServer.dll
http[:]//mrbfile.xyz/Agentz.zip
http[:]//mrbfile.xyz/Agenty.zip
http[:]//mrbfile.xyz/sql/syslib.dll
http[:]//mrbfile.xyz/sys.dll
http[:]//mrbfile.xyz/35/sys.dll
http[:]//mrbfile.xyz/Hosty.zip
http[:]//vihansoft.ir/sys.dll
https[:]//vihansoft.ir/Sys.dll
http[:]//vihansoft.ir/Agentx.zip
https[:]//vihansoft.ir/d.zip
http[:]//vihansoft.ir/k.exe
http[:]//vihansoft.ir/d.zip
https[:]//vihansoft.ir/Hostx.zip
http[:]//vihansoft.ir/p.zip
https[:]//vihansoft.ir/k.exe
https[:]//vihansoft.ir/Agentx.zip
https[:]//vihansoft.ir/vhost.tar.gz
https[:]//vihansoft.ir/P.zip
https[:]//github.com/farzadbehdad/poiuytrewq/blob/master/Sys.dll?raw=true
https[:]//vihanSoft.ir/Agent.zip
https[:]//vihanSoft.ir/host.zip
ftp[:]//145.239.225.15/armv.tar.gz
ftp[:]//145.239.225.15/linux-os.tar.gz
ftp[:]//145.239.225.15/linuxservice.tar.gz
ftp[:]//145.239.225.15/osx.tar.gz
ftp[:]//145.239.225.15/vhost.tar.gz
ftp[:]//145.239.225.15/xmr.tar.gz
ftp[:]//145.239.225.15/arm.tar.gz

Md5

c79d08c7a122f208edefdc3bea807d64
6bcc710ba30f233000dcf6e0df2b4e91
ac72e18ad3d55592340d7b6c90732a2e
6c929565185c42e2e635a09e7e18fcc8
04612ddd71bb11069dd804048ef63ebf
68206d23f963e61814e9a0bd18a6ceaa
a5adecd40a98d67027af348b1eee4c45
c417197bcd1de05c8f6fcdbfeb6028eb
76c266d1b1406e8a5e45cfe279d5da6a
605b858b0b16d4952b2a24af3f9e8c8e
c3b16228717983e1548570848d51a23b
c10b1c31cf7f1fcf1aa7c79a5529381c
391694fe38d9fb229e158d2731c8ad7c
5d457156ea13de71c4eca7c46207890d
f1cd388489270031e659c89233f78ce9
54b14b1aa92f8c7e33a1fa75dc9ba63d
f9e91a21d4f400957a8ae7776954bd17
61a17390c68ec9e745339c1287206fdb
f13540e6e874b759cc3b51b531149003
2915f1f58ea658172472b011667053df
3cb03c04a402a57ef7bb61c899577ba4
f2d0b646b96cba582d53b788a32f6db2
5eaa3c2b187a4fa71718be57b0e704c9
8cf543527e0af3b0ec11f4a5b5970810
36254048a516eda1a13fab81b6123119
0a8aac558c77f9f49b64818d7ab12000
59beb43a9319cbc2b3f3c59303989111
ce8fdec586e258ef340428025e4e44fa
e4284f80b9066adc55079e8e564f448c
2f402cde33437d335f312a98b366c3c8
25a579dcc0cd6a70a56c7a4a0b8a1198
2d1159d7dc145192e55cd05a13408e9b
2dd8a0213893a26f69e6ae56d2b58d9d
0d8838116a25b6987bf83214c1058aad
0c883e5bbbbb01c4b32121cfa876d9d6
2d26ecc1fdcdad62e608a9de2542a1a6
27c91887f44bd92fb5538bc249d0e024
96b0f85c37c1523f054c269131755808
028f24eb796b1bb20b85c7c708efa497

Monero wallet:
49Bmp3SfddJRRGNW7GhHyAA2JgcYmZ4EGEix6p3eMNFCd15P2VsK9BHWcZWUNYF3nhf17MoRTRK4j5b7FUMA9zanSn9D3Nk
498s2XeKWYSEhQHGxdMULWdrpaKvSkDsq4855mCuksNL6ez2dk4mMQm8epbr9xvn5LgLPzD5uL9EGeRqWUdEZha1HmZqcyh

Reference:

Share