Sophos revealed that the pirated crypto mining software known as MrbMiner was prepared by a small software house in Iran to circumvent international sanctions against the country.
Sophos, the leader of next-generation cyber security technologies, has published a new report on the crypto mining software MrbMiner, which targets database servers on the internet, titled “MrbMiner: Cryptojacking to bypass international sanctions”. The report points out that the malware was prepared and managed by a small software center in the country to circumvent international sanctions against Iran.
MrbMiner installs its own crypto mining software targeting internet-facing SQL Server database servers. Database servers are among the attractive targets of crypto miners as they are used for resource-intensive activities and therefore have strong computing capacity.
SophosLabs found that attackers used multiple ways to install pirated mining software on the targeted server, packaging cryptominer payload and configuration files in deliberately misnamed zip archive files. The name of an Iran-based software company is coded in the main configuration file of the mining software. This area hosts the other zip file containing different copies of the miner. These zip files are downloaded from many different areas, including mrbftp.xyz.
“In an age of multi-million dollar ransomware attacks that are killing organizations, it would be a mistake to underestimate attacks on crypto mining,” says Gabor Szappanos, Director of Threat Research at SophosLabs. “Crypto mining attack is a silent and invisible threat that is easy to implement and very difficult to detect. It also has the potential to leave an open door for other major threats like ransomware. MrbMiner’s operations are typical of crypto mining attacks targeting internet-facing servers. However, it is striking that they are very careless about hiding their identity. Most of the records regarding the miner’s configuration, domains and IP addresses point to a small Iran-based software company.
Sophos says that crypto-mining signs such as decreased speed and performance of computers and servers, increased electricity consumption, overheating of devices and increased demand on the processor should be watched out.