MrbMiner Crypto-Mining Malware Links to Iranian Software Company

A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server (MSSQL) databases has now been linked to a small software development company based in Iran.

The attribution was made possible due to an operational security oversight, said researchers from cybersecurity firm Sophos, that led to the company’s name inadvertently making its way into the crypto-miner code.

First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a crypto miner, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.

The name “MrbMiner” comes after one of the domains used by the group to host their malicious mining software.

“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers,” said Gabor Szappanos, threat research director at SophosLabs.

“The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner’s configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.”

MrbMiner sets about its task by carrying out brute-force attacks against the MSSQL server’s admin account with various combinations of weak passwords.

crypto miner malware

Upon gaining access, a Trojan called “assm.exe” is downloaded to establish persistence, add a backdoor account for future access (username: Default, password: @fg125kjnhn987), and retrieve the Monero (XMR) cryptocurrency miner payload that’s run the targeted server.

Now according to Sophos, these payloads — called by various names such as sys.dll, agentx.dll, and hostx.dll, were deliberately-misnamed ZIP files, each of which contained the miner binary and a configuration file, among others.

Cryptojacking attacks are typically harder to attribute given their anonymous nature, but with MrbMiner, it appears that the attackers made the mistake of hardcoding the payload location and the command-and-control (C2) address into the downloader.

One of the domains in question, “vihansoft[.]ir,” was not only registered to the Iranian software development company but the compiled miner binary included in the payload left telltale signs that connected the malware to a now-shuttered GitHub account that was used to host it.

While database servers, owing to their powerful processing capabilities, are a lucrative target for cybercriminals looking to distribute cryptocurrency miners, the development adds to growing concerns that heavily-sanctioned countries like North Korea and Iran are using cryptocurrency as a means to evade penalties designed to isolate them and to facilitate illicit activities.

“Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect,” Szappanos said. “Further, once a system has been compromised it presents an open door for other threats, such as ransomware.”

“It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”

Source link

Latest articles

Amazon Dismisses Claims Alexa ‘Skills’ Can Bypass Security Vetting Process

Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or...

The hidden business costs of working remotely

The benefits of working remotely are numerous, but studies are finding there are significant hidden...

HYAS Raises $16 Million to Hunt Adversary Infrastructure

HYAS, a Victoria, Canada-based provider of threat intelligence based on adversary infrastructure, announced this week that it has closed a $16 million Series...

Stalkerware Volumes Remain Concerningly High, Despite Bans

COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware. Source link...

Related articles

Leave a reply

Please enter your comment!
Please enter your name here