SQL Server Malware Tied to Iranian Software Firm, Researchers Allege


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have made new discoveries surrounding the source of a previously-uncovered cryptomining operation that has targeted internet-facing database servers.
The campaign, dubbed MrbMiner, was discovered in September 2020 downloading and installing a cryptominer on thousands of SQL servers. Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran.
“The name of an Iran-based software company was hardcoded into the miner’s main configuration file,” said researchers with Sophos in a Thursday analysis. “This domain is connected to many other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.xyz.”
Researchers said that their records don’t reveal exactly how the malware gained a foothold on the database servers. However, they pointed to techniques used by the MyKings SQL-attacking botnet or Lemon_Duck cryptocurrency botnet as a possibility. Both of these botnets prey on various unpatched vulnerabilities in systems, with some additional infection vector tricks up their sleeve (including remote desktop protocol password brute-forcing for Lemon Duck).
Once downloaded onto the system, the cryptominer payload and configuration files are unpacked. A Microsoft SQL server (sqlservr.exe) process first launches a file called assm.exe, which is a trojan that serves as a downloader. Assm.exe then downloads the cryptominer payload from a web server, and connects to its command-and-control (C2) server to report the successful download and execution of the miner.
“In most cases, the payload was a file named sys.dll, which (despite its file suffix) was not a Windows DLL but a zip archive containing a cryptominer binary, configuration file, and related files,” said researchers.