Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Sophos: Crypto-Jacking Campaign Linked to Iranian Company

An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos.

An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos.

The attacks result in the MrbMiner crypto-miner being installed onto the target servers, with the software apparently created, controlled, and hosted by a named Iranian company.

The Sophos researchers note that they couldn’t determine exactly how the infected database servers were compromised, but believes that the same techniques as those used in separate attacks featuring the Kingminer, Lemon_Duck, or MyKings miners, might have been employed.

[ ALSO READ:  IoT Devices at Major Manufacturers Hit By Supply Chain Attack ]

If so, the attackers might have attempted to brute-force SQL servers and then load malicious components using SQL command scripts, or they might have relied on exploits for the EternalBlue vulnerability for lateral movement.

On the infected servers, the SQL Server (sqlservr.exe) process was observed launching a file called assm.exe, which turns out to be a downloader Trojan designed to fetch the crypto-miner payload from a web server and report the successful download and execution to the command-and-control (C&C).

The payload was designed to target Windows systems, but the security researchers also identified a Linux build of the crypto-miner on some of the analyzed servers. The two used different crypto-currency wallet addresses.

The MrbMiner malware features a kernel-level device driver publicly available on GitHub (WinRing0x64.sys), along with a miner executable (Windows Update Service.exe), which is a modified version of the XMRig miner.

[RELATED: Crypto-Mining Botnet Hits 500,000 Windows Machines ]

Analysis of the domain that was found hardcoded within MrbMiner samples revealed the use of various naming schemes for the malicious payload and its components, including the use of several other domains.

Overall, the attacks resembled previously observed crypto-jacking campaigns targeting Internet-facing servers, but lacked the level of obfuscation previously observed. Thus, the analysis of the miner’s configuration, the leveraged IP addresses and domains led to a software company based in Iran.

Typically, attackers abused compromised web domains belonging legitimate businesses to host malicious payloads, but in this case the domain’s owner was found to be involved in the spreading of malware.

“We found the miner downloads in the web root of the vihansoft domain, in a repository under a now-shuttered Github user account, and on the and domains, as well as on a small number of IP addresses,” Sophos notes.

The same username used for the GitHub account was present on the machine on which the crypto-miner binaries were compiled, clearly enforcing a connection between the two.

Related: ‘PGMiner’ Crypto-Mining Botnet Abuses PostgreSQL for Distribution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...