Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

MrbMiner (Cryptominer) – Malware

June 12, 2023
Reading Time: 2 mins read
in Malware, Types of Malware
Name MrbMiner
Type of Malware Cryptominer
Date of Initial Activity 2020
Motivation Cryptojacking
Attack Vectors Spread by scanning the internet for MSSQL servers
Targeted System Windows

Overview

It targets MSSQL databases and implants cryptomining modules on target machines. Tencent Security says that while they saw only infections on MSSQL servers, the MrbMiner C&C server also contained versions of the group’s malware written to target Linux servers and ARM-based systems.

Targets

Microsoft SQL Servers (MSSQL).

Tools/ Techniques Used

MrbMiner is a trojan that is hacked through a SQL Server server with a weak password, and released the Trojan assm .exe written in C# language on the target system, and further communicated with the C2 server through the Trojan. Then download the Monero mining Trojan and maintain the mining process. Mining Trojan files are extracted by ZIP and disguised as various Windows system services.

Since the mining Trojan’s C2 address, mining pool account and file information all contain the characteristic character “MRB”, Tencent’s Security Threat Intelligence Center named it “MrbMiner”.

After the MrbMiner intrusion, it will release two other downloader installerservice.exe, PowerShellInstaller.exe, the downloader will install the mining Trojan as a system service to achieve persistent operation, and will collect the trick system information (including CPU model, number of CPUs, .NET version information), disable the Windows upgrade service, and add a backdoor account in the Windows system to facilitate the continuation of intrusion control.

The MrbMiner Trojan carefully hides itself from being discovered by administrators. The Trojan monitors the Task Manager process, and when the user starts the Task Manager process to view the system, the mining process immediately exits and deletes the relevant files.

Tencent security experts also found mining Trojan files based on Linux systems and ARM systems on the FTP server of the MrbMiner mining Trojan, speculating that MrbMiner has cross-platform attack capabilities.

 

References

  1. MrbMiner: Cryptojacking to bypass international sanctions
  2. MRBMiner malware: What it is, how it works and how to prevent it | Malware spotlight
  3. New MrbMiner malware has infected thousands of MSSQL databases
  4. Tencent – MrbMiner
Tags: CryptojackingCryptominerCyberattackCybersecurityMalwaremalware nameMrbMinerServersSQLSQL ServersTencentVulnerabilitiesVulnerability Scanning
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

CISA Warns Of Apple Zero Click Exploit

PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

Image Hiding in DNS TXT Records

Subscribe to our newsletter

    Latest Incidents

    Zoomcar Data Breach Hits 8.4 Million Users

    Qilin Gang Leaks Asefa FC Barcelona Data

    Gunra Claims 45TB Hack On Colombia Justice

    Hackers Leak 10K VirtualMacOSX Customer Data

    Canada WestJet Airline Contains Cyberattack

    Washington Post Investigates Cyberattack on Emails

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial