New MrbMiner malware has infected thousands of MSSQL databases

Time to take a look for these Indicators of Compromise (IoCs) in any instances of MSSQL you might be running…:

[…] In a report published earlier this month, Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.

The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.

Once the attackers gained a foothold on a system, they downloaded an initial assm.exe file, which they used to establish a (re)boot persistence mechanism and to add a backdoor account for future access. Tencent says this account uses the username “Default” and a password of “@fg125kjnhn987.”


Original article here