The malware, dubbed MrbMiner in a September 2020 report by Chinese security firm Tencent, has targeted thousands of vulnerable Microsoft SQL servers in North America, Europe and other regions over several months in an attempt to install cryptominers.
Sophos researchers determined that the location of the final payload and the IP address of the command-and-control server had been hard-coded into the MrbMiner’s downloader component. This, in turn, pointed to a small Iranian-based software company, according to the report, which does not name the suspected firm.
“One reason cryptocurrency mining attacks are so frustrating is that it is hard to leverage law enforcement to address the problem,” Sophos researchers Gabor Szappanos and Andrew Brandt note in the report. “The source of the miners are, usually, anonymous, as is the destination of the harvested cryptocurrency value. But the MrbMiner creator may be easier to determine.”
Sophos researchers found that a domain – vihansoft.ir – used during the attacks to host some of the payloads is linked to the software company in Iran.
This domain, along with others associated with the MrbMiner campaign, is registered to a provider in Panama to help conceal the true ownership, Sophos says.
Once the Sophos researchers had the domains and other information in hand, they used a Persian-language mapping service containing business information to help track down the suspected company behind the malware, according to the report.
“It is difficult to accurately assess the global extent and impact of a malicious cryptomining campaign,” Szappanos says. “Many victims may be affected without realizing it, and cryptocurrency wallets connected to a campaign may not provide an accurate overview of all the money made by the attackers. We do know, however, that MrbMiner is an actively maintained campaign. We have seen more than 470 different samples used by the attackers in the last six months.”
How MrbMiner Works
The Tencent report says the malware’s operators used brute-force methods to guess weak passwords associated with Microsoft SQL servers.
After the SQL server is compromised, MrbMiner attempts to download a Trojan, which in turn downloads the cryptominer that connects to the attackers’ command-and-control server, according to the Sophos report.
The cryptojacking payload includes a kernel-level device driver as well as a miner executable named Windows Update Service.exe, which helps obfuscate its purpose, Sophos says. The executable appears to be a modified version of the XMRig malware, which has become increasingly popular among hackers as a way to mine for virtual currency, especially monero (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).
Once installed in a vulnerable SQL server, MrbMiner acts in a manner similar to other cryptomining malware, such as MyKings, Lemon Duck and Kingminer, the Sophos researchers determined.
“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers,” Szappanos says. “The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity.”
Szappanos notes that while cryptominers are sometimes viewed more as a nuisance than an actual threat, hackers will sometimes leverage vulnerable systems and devices to escalate an attack beyond mining for digital currency, including downloading ransomware that can cause additional damage.
“Once a system has been compromised, it presents an open door for other threats, such as ransomware,” Szappanos says. “It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”
Source » bankinfosecurity