MrbMiner, a cryptocurrency mining botnet that’s active since last year, has been linked to a software company in Iran. Researchers at Sophos has studied the botnet’s operation and its payload procuring domain to find out a server, that’s being hosted in Iran, and also hosts multiple other malicious domains.
MrbMiner Botnet Linked to Iranian Operators
MrbMiner was spotted initially by the Tencent Security team in September last year, where they said the mining botnet is operational since the summer of the same year. It starts with brute-force attacking the Microsoft SQL databases having weak passwords, and gain access.
Once in, it will then set a backdoor with credentials Default as username and @fg125kjnhn987 as password. This setting is used for transporting the miner payload from various sources, like mrbfile.xyz or mrbftp.xyz. They’d then start mining cryptocurrencies using the victim’s resources for their benefit.
Also Read- Best Cryptocurrency Apps For Android
Today, Sophos researchers have linked the operators of this botnet to be from Iran, since they have found several clues linking the botnet to a software company in Iran’s Shiraz. They resulted in this after checking the domains the botnet is procuring the payload from, the server’s location, and the botnet’s working mechanism.
“When we see web domains that belong to a legitimate business implicated in an attack, it’s much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a ‘dead drop’ where they can host the malware payload.”
They said the domain’s payload was brought from vihansoft.ir, which is hosted on the same server that’s hosting multiple domains serving the same botnet. Also, it’s said that the server was being used as C2 for the hackers. A reason why the software company was leaving tracks could be its recklessness.
Since the Iranian government isn’t going to hand over any of their citizens to western governments so easily, native hackers work almost openly. Though Sophos detected and detailed them now, it’s not going to bother their operations in any way for this.