HomeTech PlusTECH & OTHER NEWSMrbMiner crypto-mining operation linked to Iranian software firm

MrbMiner crypto-mining operation linked to Iranian software firm

Illustration idea for cyber attacks targeting Iran.

Illustration set of flags made from binary code targets.

Getty Images/iStockphoto

Cyber-security firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran.

The MrbMiner botnet has been operational since the summer of 2020. It was first detailed in a Tencent Security report in September last year.

Tencent said it saw MrbMiner launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to weakly secured administrator accounts.

Once inside, the botnet would create a backdoor account with the Default/@fg125kjnhn987 credentials and download and install a cryptocurrency miner from domains such as mrbftp.xyz or mrbfile.xyz.

In a report today, Sophos researchers said they analyzed this botnet’s modus operandi in more depth. They looked at the malware payloads, domain data, and server information and found several clues that led them back to a legitimate Iranian business.

“When we see web domains that belong to a legitimate business implicated in an attack, it’s much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a ‘dead drop’ where they can host the malware payload,” said Sophos researchers Andrew Brandt and Gabor Szappanos.

“But in this case, the domain’s owner is implicated in spreading the malware.”

Sophos said that multiple MbrMiner domains used to host the cryptominer payloads were hosted on the same server used to host vihansoft.ir, the website of a legitimate Iranian-based software development firm.

Furthermore, the vihansoft.ir domain was also used as the command and control (C&C) server for the MbrMiner operation and was also seen hosting malicious payloads that were downloaded and deployed on hacked databases.

One of the reasons the Iranian company did not bother covering its tracks better is because of its location. In recent years, Iranian cybercriminals have become brasher and more careless as they realize that the Iranian government won’t extradite its citizens to western governments.

Notable Iranian-linked cybercrime operations seen in the past have included the likes of the SamSam and Pay2Key ransomware gangs and the Silent Librarian phishing group, just to name the most notable –although there are many other smaller operations [12].

Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity.

By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS