MrbMiner Crypto-Mining Malware Links to Iranian Software Company

A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server (MSSQL) databases has now been linked to a small software development company based in Iran.

The attribution was made possible due to an operational security oversight, said researchers from cybersecurity firm Sophos, that led to the company’s name inadvertently making its way into the cryptominer code.

First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.

The name “MrbMiner” comes after one of the domains used by the group to host their malicious mining software.

“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers,” said Gabor Szappanos, threat research director at SophosLabs.

“The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner’s configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.”

MrbMiner sets about its task by carrying out brute-force attacks against the MSSQL server’s admin account with various combinations of weak passwords.

Upon gaining access, a Trojan called “assm.exe” is downloaded to establish persistence, add a backdoor account for future access (username: Default, password: @fg125kjnhn987), and retrieve the Monero (XMR) cryptocurrency miner payload that’s run on the targeted server.

Now according to Sophos, these payloads — called by various names such as sys.dll, agentx.dll, and hostx.dll, were deliberately-misnamed ZIP files, each of which contained the miner binary and a configuration file, among others.

Cryptojacking attacks are typically harder to attribute given their anonymous nature, but with MrbMiner, it appears that the attackers made the mistake of hardcoding the payload location and the command-and-control (C2) address into the downloader.

One of the domains in question, “vihansoft[.]ir,” was not only registered to the Iranian software development company but the compiled miner binary included in the payload left telltale signs that connected the malware to a now-shuttered GitHub account that was used to host it.

While database servers, owing to their powerful processing capabilities, are a lucrative target for cybercriminals looking to distribute cryptocurrency miners, the development adds to growing concerns that heavily-sanctioned countries like North Korea and Iran are using cryptocurrency as a means to evade penalties designed to isolate them and to facilitate illicit activities.

“Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect,” Szappanos said. “Further, once a system has been compromised it presents an open door for other threats, such as ransomware.”

“It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”