SQL servers are especially attractive as they pack more processing capabilities to support cryptomining, with MrbMiner as a good example.

Database servers are an attractive target for cryptojackers because they are used for resource intensive activity and therefore have powerful processing capability.

One recently-discovered cryptominer that targets such servers is called MrbMiner, and it uses multiple routes to install malicious mining software. The cryptominer payload and configuration files are packed into deliberately mis-named zip archive files harboring links to domains containing the string “mrb”, such as mrbfile.xyz.

However, unlike other cryptominers, MrbMiner’s files do not conceal the attackers’ identity. According to Threat Research Director, Gabor Szappanos of SophosLabs, the firm that investigate the code: “In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen targeting internet-facing servers. The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records linked to the miner’s configuration, such as domains and IP addresses, lead to a single point of origin: a small software company based in Iran.”

In an age of multi-million dollar ransomware attacks that bring organizations to their knees, Gabor said it can be easy to discount cryptojacking as a nuisance rather than a serious threat, but that would be a mistake. “Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised it presents an open door for other threats, such as ransomware. It is therefore important to stop cryptojacking in its tracks. Look out for indicators of compromise such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU.”

One reason cryptocurrency mining attacks are so frustrating is that it is hard to leverage law enforcement to address the problem. The source of the miners is usually anonymous, as is the destination of the harvested cryptocurrency value. But the MrbMiner creator may be easier to determine, in this case.

Network of cryptojacking support files and the URLs hosting them
Network of cryptojacking support files and the URLs hosting them