|Type of Malware||Cryptominer|
|Date of Initial Activity||2020|
|Attack Vectors||Spread by scanning the internet for MSSQL servers|
It targets MSSQL databases and implants cryptomining modules on target machines. Tencent Security says that while they saw only infections on MSSQL servers, the MrbMiner C&C server also contained versions of the group’s malware written to target Linux servers and ARM-based systems.
Microsoft SQL Servers (MSSQL).
Tools/ Techniques Used
MrbMiner is a trojan that is hacked through a SQL Server server with a weak password, and released the Trojan assm .exe written in C# language on the target system, and further communicated with the C2 server through the Trojan. Then download the Monero mining Trojan and maintain the mining process. Mining Trojan files are extracted by ZIP and disguised as various Windows system services.
Since the mining Trojan’s C2 address, mining pool account and file information all contain the characteristic character “MRB”, Tencent’s Security Threat Intelligence Center named it “MrbMiner”.
After the MrbMiner intrusion, it will release two other downloader installerservice.exe, PowerShellInstaller.exe, the downloader will install the mining Trojan as a system service to achieve persistent operation, and will collect the trick system information (including CPU model, number of CPUs, .NET version information), disable the Windows upgrade service, and add a backdoor account in the Windows system to facilitate the continuation of intrusion control.
The MrbMiner Trojan carefully hides itself from being discovered by administrators. The Trojan monitors the Task Manager process, and when the user starts the Task Manager process to view the system, the mining process immediately exits and deletes the relevant files.
Tencent security experts also found mining Trojan files based on Linux systems and ARM systems on the FTP server of the MrbMiner mining Trojan, speculating that MrbMiner has cross-platform attack capabilities.