Cybersecurity company Sophos says it has uncovered evidence linking MrbMiner crypto-mining botnet operators to a small Iranian boutique development company software, operated by the city of Shiraz. According to the researchers, MrbMiner botnet has been operating since the summer of 2020, while it was first mentioned in a report by Tencent Security in September of the same year.
Tencent said it had noticed MrbMiner crypto-mining botnet running brute-force attacks on Microsoft SQL Servers (MSSQL) databases, to access low-security administrator accounts. Once it was able to gain access, the botnet created one backdoor account with Default / @ fg125kjnhn987 credentials and downloaded and installed a cryptocurrency miner from domains As the mrbftp.xyz or the mrbfile.xyz.
In a report published on January 21, Sophos researchers said they had analyzed in depth the modus operandi of this botnet. They examined them malware payloads, domain data and information server and found several clues that led them to conclude that behind this malicious "operation" is an Iranian entity.
More specifically, Sophos researchers Andrew Brandt and Gabor Szappanos noted the following: "When we see web domains belonging to a legitimate business, which is involved in an attack, it is much more likely that the attackers simply abused a site (temporarily, in most cases) to use its web hosting capabilities to create a "Dead drop" where they can host malware payload. However, in this case, the domain owner is involved in the spread of the malware. "
According to ZDNet, Sophos noted that many MbrMiner domains that hosted cryptominer payloads were on the same server that hosted the imanlive.com, the site of a legitimate software development company based in Iran.
In addition, the domain vihansoft.ir was used as a C&C server for the business of MrbMiner crypto-mining botnet, while it also hosted malicious payloads that were downloaded and developed in compromised databases.
One of the reasons the Iranian company did not pay much attention to better covering its tracks is because of its location. In recent years, Iranian cybercriminals have become more indifferent and careless as they realize that the Iranian government will not extradite its citizens to Western governments.
Among the most notorious hacking gangs linked to Iran are those of SamSam and Pay2Key ransomware as well as the team Phishing "Silent Librarian", however there are many other smaller criminal companies.
It is worth noting that despite the report released by Sophos, the MrbMiner botnet business is expected to continue to operate normally, without suffering any consequences.