Sunday, February 21, 23:44
Home security Sophos: "Iranian company behind MrbMiner crypto-mining botnet"!

Sophos: "Iranian company behind MrbMiner crypto-mining botnet"!

Cybersecurity company Sophos says it has uncovered evidence linking MrbMiner crypto-mining botnet operators to a small Iranian boutique development company software, operated by the city of Shiraz. According to the researchers, MrbMiner botnet has been operating since the summer of 2020, while it was first mentioned in a report by Tencent Security in September of the same year.


Tencent said it had noticed MrbMiner crypto-mining botnet running brute-force attacks on Microsoft SQL Servers (MSSQL) databases, to access low-security administrator accounts. Once it was able to gain access, the botnet created one backdoor account with Default / @ fg125kjnhn987 credentials and downloaded and installed a cryptocurrency miner from domains As the or the

In a report published on January 21, Sophos researchers said they had analyzed in depth the modus operandi of this botnet. They examined them malware payloads, domain data and information server and found several clues that led them to conclude that behind this malicious "operation" is an Iranian entity.

Sophos: "Iranian company behind MrbMiner crypto-mining botnet"!

More specifically, Sophos researchers Andrew Brandt and Gabor Szappanos noted the following: "When we see web domains belonging to a legitimate business, which is involved in an attack, it is much more likely that the attackers simply abused a site (temporarily, in most cases) to use its web hosting capabilities to create a "Dead drop" where they can host malware payload. However, in this case, the domain owner is involved in the spread of the malware. "

According to ZDNet, Sophos noted that many MbrMiner domains that hosted cryptominer payloads were on the same server that hosted the, the site of a legitimate software development company based in Iran.

Sophos: "Iranian company behind MrbMiner crypto-mining botnet"!

In addition, the domain was used as a C&C server for the business of MrbMiner crypto-mining botnet, while it also hosted malicious payloads that were downloaded and developed in compromised databases.

One of the reasons the Iranian company did not pay much attention to better covering its tracks is because of its location. In recent years, Iranian cybercriminals have become more indifferent and careless as they realize that the Iranian government will not extradite its citizens to Western governments.

Iranian company behind MrbMiner crypto-mining botnet

Among the most notorious hacking gangs linked to Iran are those of SamSam and Pay2Key ransomware as well as the team Phishing "Silent Librarian", however there are many other smaller criminal companies.

It is worth noting that despite the report released by Sophos, the MrbMiner botnet business is expected to continue to operate normally, without suffering any consequences.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to make a Facetime Audio call

Tired of low quality cell phone calls? Thanks to FaceTime, you can make high-resolution calls if you use iPhone, iPad, ...

How to add special effects to Instagram messages

Did you know that you can make instant Instagram messages more impressive? Like any other Instagram feature, you can add special ...

Only 270 addresses are responsible for 55% of all money laundering

Cybercriminals who keep their money in cryptocurrencies tend to "launder" money through a small set of online services, according to ...

Twitter: Voice messages are coming! How do we send them?

Twitter will soon support voice messages in both iOS and Android applications. This means that you will be able to send ...

How to connect a Bluetooth headset to a Nintendo Switch

The Nintendo Switch has a headphone jack. However, most headphones have become wireless so you will need a way to connect them ...

How to hide your phone number in Telegram

If you wish to create a Telegram account, you must provide your telephone number. In this way, Telegram validates the ...

Google Assistant: How can you delete your recordings?

Google Assistant can make your daily life much easier. However, it also involves some privacy issues, as ...

Microsoft: Office 2021 / Office LTSC coming in the second half of 2021

Microsoft announced that the Microsoft Office Long Term Service Channel (LTSC) and Office 2021 will be released in 2021, for ...

How to quickly create QR codes with Bing

If you ever need to create a QR code, but you do not know how, Microsoft has an easy-to-use tool available in any program ...

Brave: Onion addresses leaked to DNS traffic

The Tor function included in the Brave web browser, allows users to access .onion dark web domains within ...