Just connect

Sophos identifies source of MrbMiner attacks

SophosLabs found that the attackers used multiple routes to install the malicious mining software


Sophos identifies source of MrbMiner attacks

 Sophos, a global leader in next-generation cybersecurity, today published a new report on MrbMiner, “MrbMiner: Cryptojacking to bypass international sanctions,” tracking its origin and management a small software development company based in Iran.

MrbMiner recently discovered crypto miner that targets internet-facing database servers (SQL servers) and downloads and installs a crypto miner. Database servers are an attractive target for cryptojackers because they are used for resource-intensive activity and have powerful processing capability.

SophosLabs found that the attackers used multiple routes to install the malicious mining software on a targeted server. The crypto-miner payload and configuration files packed into deliberately misnamed zip archive files.

The name of an Iran-based software company was hardcoded into the miner’s main configuration file. This domain is connected to many other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.XYZ.

Gabor Szappanos threat research director SophosLabs
Gabor Szappanos threat research director SophosLabs

“In many ways, MrbMiner’s operations appear typical of most crypto-miner attacks we’ve seen targeting internet-facing servers,” said Gabor Szappanos, threat research director, SophosLabs. “The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner’s configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.

“In an age of multi-million dollar ransomware attacks that bring organizations to their knees, it can be easy to discount cryptojacking as a nuisance rather than a serious threat, but that would be a mistake. Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised, it presents an open door for other threats, such as ransomware. It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”

Further information on MrbMiner and other cyberthreats can be found on SophosLabs Uncut, where Sophos researchers regularly publish their latest research and breakthrough findings, such as Kingminer escalate attack complexity for crypto mining, as well as Lemon_Duck crypto miner targets cloud apps and Linux, and MyKings botnet spreads headaches, crypto miners and For share malware. Researchers can follow SophosLabs Uncut in real-time on Twitter at @SophosLabs.

Detection and Indicators of Compromise

Sophos detect Cryptominer samples of MrbMiner under the definition of Troj/Miner-ZD.

Additional indicators of compromise have been published to the SophosLabs Github.

[email protected]

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More