MrbMiner crypto-mining operation linked to Iranian software firm

Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity.

Illustration idea for cyber attacks targeting Iran.

Illustration set of flags made from binary code targets.

Getty Images/iStockphoto

Cyber-security firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran.

Security

Everything you need to know about viruses, trojans and malicious software

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Read More

The MrbMiner botnet has been operational since the summer of 2020. It was first detailed in a Tencent Security report in September last year.

Tencent said it saw MrbMiner launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to weakly secured administrator accounts.

Once inside, the botnet would create a backdoor account with the Default/@fg125kjnhn987 credentials and download and install a cryptocurrency miner from domains such as mrbftp.xyz or mrbfile.xyz.

In a report today, Sophos researchers said they analyzed this botnet's modus operandi in more depth. They looked at the malware payloads, domain data, and server information and found several clues that led them back to a legitimate Iranian business.

"When we see web domains that belong to a legitimate business implicated in an attack, it's much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a 'dead drop' where they can host the malware payload," said Sophos researchers Andrew Brandt and Gabor Szappanos.

"But in this case, the domain's owner is implicated in spreading the malware."

Sophos said that multiple MbrMiner domains used to host the cryptominer payloads were hosted on the same server used to host vihansoft.ir, the website of a legitimate Iranian-based software development firm.

Furthermore, the vihansoft.ir domain was also used as the command and control (C&C) server for the MbrMiner operation and was also seen hosting malicious payloads that were downloaded and deployed on hacked databases.

One of the reasons the Iranian company did not bother covering its tracks better is because of its location. In recent years, Iranian cybercriminals have become brasher and more careless as they realize that the Iranian government won't extradite its citizens to western governments.

Notable Iranian-linked cybercrime operations seen in the past have included the likes of the SamSam and Pay2Key ransomware gangs and the Silent Librarian phishing group, just to name the most notable --although there are many other smaller operations [12].

Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity.