Cybersecurity researchers have found the source of an old crypto-mining operation targeting internet-facing database servers.
The so-called MrbMiner campaign found in September 2020 was used to install a crypto miner on a great number of SQL servers. Sophos experts managed to track the campaign’s origin, leading to a small Iranian company for software development.
On Thursday, the researchers explained that the name of the company was hardcoded into the miner’s main configuration file connected to many other zip files that contain copies of the miner. These zip files have been “downloaded from other domains, one of which is mrbftp.xyz.”
Although the malware experts couldn’t explain how the malware managed to remain on the database servers, they highlighted that MyKings SQL-attacking botnet or Lemon Duck cryptocurrency botnet were used, by preying on various unpatched vulnerabilities in systems.
The crypto-miner payload and configuration files are unpacked as soon as these are downloaded onto the system. When the Microsoft SQL Server (sqlservr.exe) launches a file called assm.exe, the Assm.exe downloads the crypto-miner payload from a web server connecting it to its command-and-control (C2) server to report the miner execution.
According to the researchers, most often the payload was a file named sys.dll, which was not a Windows DLL but a zip archive that contains “a crypto-miner binary, configuration file, and related files.”
Malware experts also found “a reference to the business behind vihansoft.ir in the Persian-language mapping website neshan.org,” which includes business information as part of its mapping services, as well as “the entry for a company that lists vihansoft.ir as its website, and names its managing director.”
Based on their findings, researchers pointed out that crypto-jacking may be employed by people living in countries under strict international financial sanctions by the US, attempting to bypass the ordinary banking system.