SQL Server Malware, MrbMiner, Revealed to be Iranian-Based
First discovered in September 2020, the MrbMiner campaign involves the downloading and installing of a crypto miner on thousands of SQL servers. Sophos researchers have now tracked the origin of the campaign to what they claim is a small software development company based inside Iran.
“The name of an Iran-based software company was hardcoded into the miner’s main configuration file,” said researchers with Sophos in a Thursday analysis. “This domain is connected to many other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.xyz.”
Unfortunately, researchers claim, their investigation has not revealed how the malware gains a foothold onto the internet facing database servers, but it is likely that MrbMiner uses similar techniques utilized by the MyKings SQL-attacking botnet or Lemon_Duck cryptocurrency botnet. Both botnets prey on various unpatched vulnerabilities in systems, with some additional infection vector tricks up their sleeve (including remote desktop protocol password brute-forcing for Lemon Duck).
Once downloaded onto the system, the crypto miner payload and configuration files are unpacked. A Microsoft SQL server (sqlservr.exe) process first launches a file called assm.exe, which is a trojan that serves as a downloader. Assm.exe then downloads the crypto miner payload from a web server and connects to its command-and-control (C2) server to report the successful download and execution of the miner.
Researchers discovered dozens of records relating to the miner’s configuration, its domains and IP addresses that pointed to a single point of origin: a small software company based in Iran, which has thus far been unnamed. For instance, one give away was that the server utilized to host the payloads for the campaign also hosted a domain (vihansoft.ir), which is a website tied to the software company.
Most attackers tend to remain hidden for as long as possible, but this doesn’t seem to be the case for the operators behind the MrbMiner campaign.
Sources: