Cyber-security firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran.
Tencent said it saw MrbMiner launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to weakly secured administrator accounts.
Once inside, the botnet would create a backdoor account with the Default/@fg125kjnhn987 credentials and download and install a cryptocurrency miner from domains such as mrbftp.xyz or mrbfile.xyz.
In a report today, Sophos researchers said they analyzed this botnet's modus operandi in more depth. They looked at the malware payloads, domain data, and server information and found several clues that led them back to a legitimate Iranian business.
"When we see web domains that belong to a legitimate business implicated in an attack, it's much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a 'dead drop' where they can host the malware payload," said Sophos researchers Andrew Brandt and Gabor Szappanos.
"But in this case, the domain's owner is implicated in spreading the malware."
Sophos said that multiple MbrMiner domains used to host the cryptominer payloads were hosted on the same server used to host vihansoft.ir, the website of a legitimate Iranian-based software development firm.
Furthermore, the vihansoft.ir domain was also used as the command and control (C&C) server for the MbrMiner operation and was also seen hosting malicious payloads that were downloaded and deployed on hacked databases.
One of the reasons the Iranian company did not bother covering its tracks better is because of its location. In recent years, Iranian cybercriminals have become brasher and more careless as they realize that the Iranian government won't extradite its citizens to western governments.
Notable Iranian-linked cybercrime operations seen in the past have included the likes of the SamSam and Pay2Key ransomware gangs and the Silent Librarian phishing group, just to name the most notable --although there are many other smaller operations [1, 2].
Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity.