HomeWinBuzzer NewsMicrosoft SQL Hit by Crypto Mining Malware Perpetrated by New Hacking Group

Microsoft SQL Hit by Crypto Mining Malware Perpetrated by New Hacking Group

Microsoft SQL servers have been targeted by a new group that places malware to install a Monero mining tool onto systems.


SQL Servers (MSSQL) has been the target of a new malware gang in recent months. According to security researchers, the group has found success hacking servers and installing crypto miners on victim systems.

Tencent Security points out thousands of Microsoft SQL servers have been compromised. Researchers from the security division of the Chinese tech giant says it calls the previously unknown hacking group MrbMiner. This is in reference to a domain the group uses in some malware attacks.

MrbMiner has been able to spread the botnet by finding Microsoft SQL servers online and hitting them with brute-force attacks. This method consists of bombarding admin accounts with passwords in the hope some servers have weak passwords.

Considering the rate of infection, the method is working. When the bad actors access a server, they can enter a system to download an assm.exe file. With this file, they can create a boot persistence tool that allows backdoor entry into the account.

With access available, attackers can finalize the malware to download a mining app to mine the Monero (XMR) . The mining tool functions by compromising the resources of local servers to mine and send coins to the hackers.


Tencent Security points out infections have been observed on MSSQL servers, by the MrbMiner malware was also found on Linux servers and ARM systems. Looking at the Linux variant of the malware, the company found a Monero wallet.

While these attacks are obviously problematic, there are a couple of things hosts of MSSQL users can do. Firstly, ensuring the server is protected by a legitimately strong password will like thwart any attacks from MrbMiner. To check if a system is compromised, scan the server for Default/@fg125kjnhn987 backdoor account. If this is found, full network audits are necessary to stop the infection.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News