A new cryptomining malware, identified as MrbMiner, has emerged, having compromised thousands of Microsoft SQL Server (MSSQL) databases since its discovery last year. This malware has been traced back to a small software development firm in Iran, following a lapse in operational security that inadvertently revealed the company’s name within the malware’s code, according to cybersecurity experts at Sophos.
MrbMiner, first reported by Tencent in September, targets MSSQL servers accessible over the internet to install mining software that exploits the servers’ processing capabilities to mine Monero, funneling the mined currency into accounts controlled by attackers. The malware gets its name from one of the domains the attackers used for hosting their malicious software.
Gabor Szappanos, threat research director at SophosLabs, noted that while the approach of MrbMiner mirrors typical cryptominer attacks directed at exposed servers, this case stands out due to the attackers’ apparent disregard for anonymity. Key operational identifiers, including the miner’s configuration and the domains used, strongly link the attack back to the Iranian software company.
The infection begins when the malware executes brute-force attacks against the MSSQL server’s administrator accounts using weak password combinations. Once access is gained, a Trojan named “assm.exe” is downloaded, establishing persistence. This Trojan creates a backdoor for future access and retrieves the Monero miner payload for execution.
The payloads, which have been noted with various designations such as sys.dll, agentx.dll, and hostx.dll, were found packaged in misnamed ZIP files containing the miner binary along with configuration files. Unlike many cryptojacking attacks that are hard to trace, MrbMiner’s developers made critical errors by hardcoding the payload location and command-and-control (C2) address within the downloader.
One identifiable domain associated with the operation, “vihansoft[.]ir,” links back to the same Iranian development company and shows clear connections to a now-defunct GitHub account where the malware was hosted. This evidence draws attention to the ongoing threat posed by cybercriminals in heavily sanctioned countries, raising concerns about their use of cryptocurrency for evasion of international penalties and engagement in illegal activities.
According to Szappanos, the silent nature of cryptojacking makes it particularly dangerous, often leading to other potential threats like ransomware infiltration. He underscores the significance of addressing cryptojacking promptly and advises vigilance for signs of infection, such as slowed computer performance, increased electricity consumption, overheating devices, and heightened CPU workloads.
From a tactical perspective, the MrbMiner incident highlights critical elements within the MITRE ATT&CK framework. Initial access was achieved through credential dumping and brute-force attacks. Persistence was established via the downloaded Trojan, while privilege escalation occurred through the exploitation of weak passwords. Understanding these tactics can help organizations enhance their defenses against such attacks.
