According to researchers at Sophos, the database server process (sqlservr.exe) launched a downloader executable which seemed to spontaneously appear on the server. While the downloader retrieved a cryptominer called MrbMiner, the miner seems to have been created, hosted, and controlled by a software development firm based in Iran.
The malware operations is typically like most of other cryptominer attacks targeting internet-facing servers, albeit, the MrbMiner attacker appears to have jettison all cautions when it comes to concealing their identity.
MrbMiner Crypto-Mining Malware Linked to a Software Company in Iran
Mrbminer operation begins with Microsoft SQL Server (sqlservr.exe) process launching a file called assm.exe, which is a downloader Trojan. The assm.exe file download the cryptominer payload from a web server, which then connects to its C2 (command-and-control) server for further communications.
The MrbMiner cryptojacking payload also included a kernel-level device driver (WinRing0x64.sys), and a miner executable named Windows Update Service.exe which helps to obfuscate its purpose.
Sophos researchers in order to unravel the origin of the malware, began by digging into the domain hardcoded into the miner’s configuration file, vihansoft.ir. And a lot of the records relating to the miner’s configuration, including its domains and IP addresses, all points to a single point of origin, a software company based in Iran.
The Vihansoft.ir domain, used as both a C2 and a payload server, was registered to the software development company based in Iran. With Payloads also downloaded directly from the same IP address used to host the vihansoft.ir domain.
How to stop MrbMiner Cryptojacking
Cryptojacking remains a growing threat that is very difficult to detect, and it presents an open door to other threats, such as ransomware.
Therefore, it is important to thwart cryptojacking in its tracks by looking out for signs such as reduction in your PC speed and performance, overheating, increased demands on the CPU and increased power use.
No comments