Researchers have traced the origins of a campaign – infecting SQL servers to mine cryptocurrency – back to an Iranian software firm.
Researchers have made new discoveries surrounding the source of a previously-uncovered cryptomining operation that has targeted internet-facing database servers.
The campaign, dubbed MrbMiner, was discovered in September 2020 downloading and installing a cryptominer on thousands of SQL servers. Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran.
“The name of an Iran-based software company was hardcoded into the miner’s main configuration file,” said researchers with Sophos in a Thursday analysis. “This domain is connected to many other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.xyz.”
Researchers said that their records don’t reveal exactly how the malware gained a foothold on the database servers. However, they pointed to techniques used by the MyKings SQL-attacking botnet or Lemon_Duck cryptocurrency botnet as a possibility. Both of these botnets prey on various unpatched vulnerabilities in systems, with some additional infection vector tricks up their sleeve (including remote desktop protocol password brute-forcing for Lemon Duck).
Once downloaded onto the system, the cryptominer payload and configuration files are unpacked. A Microsoft SQL server (sqlservr.exe) process first launches a file called assm.exe, which is a trojan that serves as a downloader. Assm.exe then downloads the cryptominer payload from a web server, and connects to its command-and-control (C2) server to report the successful download and execution of the miner.
“In most cases, the payload was a file named sys.dll, which (despite its file suffix) was not a Windows DLL but a zip archive containing a cryptominer binary, configuration file, and related files,” said researchers.
While the attack seemed typical of most cryptominer attacks targeting internet-facing servers, what sets it apart is that the attacker “appears to have thrown caution to the wind about concealing their identity,” said Gabor Szappanos, threat research director with Sophos Labs.
Researchers discovered a slew of records relating to the miner’s configuration, its domains and IP addresses that pointed to a single point of origin: an (unnamed) small software company based in Iran. For instance, one give away was that the server utilized to host the payloads for the campaign also hosted a domain (vihansoft.ir), which is a website tied to the software company.
“We found a reference to the business behind vihansoft.ir in the Persian-language mapping website neshan.org,” said researchers. “Similar to Google Maps or Waze, Neshan includes business information as part of its mapping services, and the entry for a company that lists vihansoft.ir as its website, and names its managing director.”
Researchers noted that cryptojacking may be utilized here by people who live in countries like Iran that are under strict international financial sanctions by the U.S., in order to bypass the traditional banking system.
Servers: Lucrative Cryptojacking Target
While many attackers target computers with their cryptomining malware, researchers stressed that database servers are an attractive target for attackers because they are used for resource-intensive processes and thus contain potent processing capability.
IT administrators hosting a database need significant performance requirements, including the ability to process large loads of data reads and writes, as well as high levels of RAM and processor overhead to respond rapidly to queries, said researchers.
“As a result, servers hosting databases fall on the beefier side of the performance scale, which is why they’re an excellent target for attackers whose goals include the distribution of cryptocurrency miners,” said researchers.
Attackers have caught on to this over the past years. In 2019, up to 50,000 servers were infected as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries. In 2018, MassMiner emerged to target Windows servers with various well-known exploits, all within a single executable — including the EternalBlue NSA hacking tool.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!