Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Sophos: Crypto-Jacking Campaign Linked to Iranian Company

An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos.

An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos.

The attacks result in the MrbMiner crypto-miner being installed onto the target servers, with the software apparently created, controlled, and hosted by a named Iranian company.

The Sophos researchers note that they couldn’t determine exactly how the infected database servers were compromised, but believes that the same techniques as those used in separate attacks featuring the Kingminer, Lemon_Duck, or MyKings miners, might have been employed.

[ ALSO READ:  IoT Devices at Major Manufacturers Hit By Supply Chain Attack ]

If so, the attackers might have attempted to brute-force SQL servers and then load malicious components using SQL command scripts, or they might have relied on exploits for the EternalBlue vulnerability for lateral movement.

On the infected servers, the SQL Server (sqlservr.exe) process was observed launching a file called assm.exe, which turns out to be a downloader Trojan designed to fetch the crypto-miner payload from a web server and report the successful download and execution to the command-and-control (C&C).

The payload was designed to target Windows systems, but the security researchers also identified a Linux build of the crypto-miner on some of the analyzed servers. The two used different crypto-currency wallet addresses.

The MrbMiner malware features a kernel-level device driver publicly available on GitHub (WinRing0x64.sys), along with a miner executable (Windows Update Service.exe), which is a modified version of the XMRig miner.

Advertisement. Scroll to continue reading.

[RELATED: Crypto-Mining Botnet Hits 500,000 Windows Machines ]

Analysis of the vihansoft.ir domain that was found hardcoded within MrbMiner samples revealed the use of various naming schemes for the malicious payload and its components, including the use of several other domains.

Overall, the attacks resembled previously observed crypto-jacking campaigns targeting Internet-facing servers, but lacked the level of obfuscation previously observed. Thus, the analysis of the miner’s configuration, the leveraged IP addresses and domains led to a software company based in Iran.

Typically, attackers abused compromised web domains belonging legitimate businesses to host malicious payloads, but in this case the domain’s owner was found to be involved in the spreading of malware.

“We found the miner downloads in the web root of the vihansoft domain, in a repository under a now-shuttered Github user account, and on the mrbfile.xyz and mrbftp.xyz domains, as well as on a small number of IP addresses,” Sophos notes.

The same username used for the GitHub account was present on the machine on which the crypto-miner binaries were compiled, clearly enforcing a connection between the two.

Related: ‘PGMiner’ Crypto-Mining Botnet Abuses PostgreSQL for Distribution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...