Sophos: Crypto-Jacking Campaign Linked to Iranian Company
An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos.
The attacks result in the MrbMiner crypto-miner being installed onto the target servers, with the software apparently created, controlled, and hosted by a named Iranian company.
The Sophos researchers note that they couldn’t determine exactly how the infected database servers were compromised, but believes that the same techniques as those used in separate attacks featuring the Kingminer, Lemon_Duck, or MyKings miners, might have been employed.
If so, the attackers might have attempted to brute-force SQL servers and then load malicious components using SQL command scripts, or they might have relied on exploits for the EternalBlue vulnerability for lateral movement.
On the infected servers, the SQL Server (sqlservr.exe) process was observed launching a file called assm.exe, which turns out to be a downloader Trojan designed to fetch the crypto-miner payload from a web server and report the successful download and execution to the command-and-control (C&C).
The payload was designed to target Windows systems, but the security researchers also identified a Linux build of the crypto-miner on some of the analyzed servers. The two used different crypto-currency wallet addresses.
The MrbMiner malware features a kernel-level device driver publicly available on GitHub (WinRing0x64.sys), along with a miner executable (Windows Update Service.exe), which is a modified version of the XMRig miner.
Analysis of the vihansoft.ir domain that was found hardcoded within MrbMiner samples revealed the use of various naming schemes for the malicious payload and its components, including the use of several other domains.
Overall, the attacks resembled previously observed crypto-jacking campaigns targeting Internet-facing servers, but lacked the level of obfuscation previously observed. Thus, the analysis of the miner’s configuration, the leveraged IP addresses and domains led to a software company based in Iran.
Typically, attackers abused compromised web domains belonging legitimate businesses to host malicious payloads, but in this case the domain’s owner was found to be involved in the spreading of malware.
“We found the miner downloads in the web root of the vihansoft domain, in a repository under a now-shuttered Github user account, and on the mrbfile.xyz and mrbftp.xyz domains, as well as on a small number of IP addresses,” Sophos notes.
The same username used for the GitHub account was present on the machine on which the crypto-miner binaries were compiled, clearly enforcing a connection between the two.