SQL Server Malware Tied to Iranian Software Firm, Researchers Allege


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have made new discoveries surrounding the source of a previously-uncovered cryptomining operation that has targeted internet-facing database servers.
The campaign, dubbed MrbMiner, was discovered in September 2020 downloading and installing a cryptominer on thousands of SQL servers. Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran.
“The name of an Iran-based software company was hardcoded into the miner’s main configuration file,” said researchers with Sophos in a Thursday analysis. “This domain is connected to many other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.xyz.”
Researchers said that their records don’t reveal exactly how the malware gained a foothold on the database servers. However, they pointed to techniques used by the MyKings SQL-attacking botnet or Lemon_Duck cryptocurrency botnet as a possibility. Both of these botnets prey on various unpatched vulnerabilities in systems, with some additional infection vector tricks up their sleeve (including remote desktop protocol password brute-forcing for Lemon Duck).
Once downloaded onto the system, the cryptominer payload and configuration files are unpacked. A Microsoft SQL server (sqlservr.exe) process first launches a file called assm.exe, which is a trojan that serves as a downloader. Assm.exe then downloads the cryptominer payload from a web server, and connects to its command-and-control (C2) server to report the successful download and execution of the miner.
“In most cases, the payload was a file named sys.dll, which (despite its file suffix) was not a Windows DLL but a zip archive containing a cryptominer binary, configuration file, and related files,” said researchers.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.