Sophos identifies source of 'MrbMiner' attacks
Cyber security company Sophos has traced the origin of the MrbMiner crypto-miner attacks, which target SQL servers, to a small software development company based in Iran.
In a report dubbed “MrbMiner: Cryptojacking to bypass international sanctions,” the company says servers are a compelling target for crypto-jackers because they are used for resource intensive activity and therefore have powerful processing capability.
SophosLabs found that bad actors used multiple routes to install the malicious mining software on a targeted server, with the crypto-miner payload and configuration files packed into deliberately mis-named zip archive files.
According to the company, the name of an Iran-based software company was hardcoded into the miner’s main configuration file. This domain is connected to plenty of other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.xyz.
Crypto-jacking is a silent and invisible threat that is easy to implement and very difficult to detect.Gabor Szappanos, SophosLabs
Gabor Szappanos, threat research director at SophosLabs, said: “In many ways, MrbMiner’s operations appear typical of most crypto-miner attacks we've seen targeting Internet-facing servers. The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner's configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.”
He says in an era of multi-million dollar ransomware attacks that bring businesses to their knees it can be easy to view crypto-jacking as a nuisance instead of a serious threat, but that would be a mistake.
“Crypto-jacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised it presents an open door for other threats, such as ransomware. It is therefore important to stop crypto-jacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”
Samples of this crypto-miner are detected by Sophos under the definition Troj/Miner-ZD.