Crypto-Jacking Campaign Linked to Iranian Company
Researchers at British anti-malware vendor Sophos traced recent crypto-jacking attacks targeting SQL servers back to an Iran-based software company. The attacks consisted of threat actors installing the MrbMiner crypto-miner on target servers, utilizing software created, controlled, and hosted by an Iranian company. Sophos stated that they were unable to determine how the infected databases were initially compromised.
However, the researchers found that the same techniques used in different attacks traced back to the same Iranian actor such as ones featuring the Kingminer, Lemon_Duck, or MyKings miners. The leading theory is that the attackers attempted to brute-force SQL servers and load malicious components, installing the crypto-miner once the network was accessed. Although the payload was designed to target Windows systems, there was also a Linux build of the crypto-miner that was used in some instances.