Iranian hackers use cryptojacker to bypass sanctions, says report
Cybersecurity firm SophosLabs has traced MrbMiner, a new cryptojacking virus that primarily targets powerful database servers, back to a small software company in Iran, according to a report published yesterday.
“MrbMiner is a recently discovered cryptominer that targets internet-facing database servers (SQL servers) and downloads and installs a cryptominer. Database servers are an attractive target for cryptojackers because they are used for resource-intensive activity and therefore have powerful processing capability,” said the researchers.
Sneaky mining
Cryptojackers—also called malicious cryptominers—are a type of malware that uses infected systems to stealthily mine cryptocurrencies and send them back to the attackers. While such programs might be seen not as damaging or malign as ransomware, for example, they can still have a number of detrimental effects such as severe drops in performance.
This is why database servers, which “fall on the beefier side of the performance scale,” were targeted specifically.
The report also asserted that MrbMiner’s developers could actually be using such an attack to bypass international financial sanctions currently placed on the country.
“People who live in countries that are under strict international financial sanctions, like Iran, can leverage cryptocurrency to bypass the traditional banking system,” the report surmised.
Caution was thrown to the wind
At the same time, it turned out that MrbMiner’s operators didn’t even try to conceal their identity, effectively leaving their “home address” right in the middle of their code. For example, the name of an Iran-based software company was hardcoded into the miner’s main configuration file itself, the researchers discovered.
“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers. The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity,” said Gabor Szappanos, threat research director at SophosLabs.
He explained that MrbMiner’s configuration data even includes domain names and IP addresses that “signpost” to a single entity—the aforementioned Iranian firm.
“When we see web domains that belong to a legitimate business implicated in an attack, it’s much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a ‘dead drop’ where they can host the malware payload,” the researchers noted, adding, “But in this case, the domain’s owner is implicated in spreading the malware.”
As CryptoSlate reported in October, another group of hackers has stolen at least $22 million worth of Bitcoin from the users of Electrum wallet by sending fake updates.