Sophos said it found evidence linking the operators of the MrbMiner mining botnet to a small Iranian software company.The MrbMiner malware and same-named group that created it were first spotted last autumn, and the first analysis of this threat was published by Tencent Security last fall.
MrbMiner is used to install cryptocurrency miners on Microsoft SQL (MSSQL) servers, and according to experts, thousands of MSSQL databases were infected with this malware in the fall.
“The botnet is expanding solely by scanning the Internet for MSSQL servers and subsequent brute force attacks on them. Attempts to use the administrator account with various weak passwords have also been seen on several occasions”, – say Sophos experts.
Once inside the system, the malware operators download the assm.exe file, which they then use to gain a foothold in the system and create a new account that acts as a backdoor for future access. This account typically uses the username Default and the password@fg125kjnhn987. The last stage of the infection is to connect to the C&C server and download an application that extracts Monero (XMR) cryptocurrency using the power of the infected system.
Now Sophos analysts write that they have studied the botnet’s working methods in depth. They analysed malware payloads, domains, and command servers, and found a number of clues that helped link MrbMiner to legitimate Iranian businesses.
“When we see that domains belonging to legitimate businesses are involved in an attack, it most often means that attackers have taken advantage of the company’s website (in most cases temporarily) to use it as hosting to create a ‘dead zone’ where they can host their malware. However, in this case, the domain owner is clearly involved in the distribution of malware, experts say. – The attackers seem to have behave with less caution. Many of the records regarding the miner’s configuration, domains and IP addresses point to a single starting point: a small software company based in Iran.”
The fact is that several MbrMiner domains used to host payloads were located on the same server, which also hosts the vihansoft[.]ir site, owned by an Iranian software development firm. At the same time, the vihansoft[.]ir domain was also used as a control server for MbrMiner, and participated in the placement of payloads, which were then deployed in compromised databases.
It seems that the Iranian company has not bothered to cover up its tracks due to the fact that the Iranian authorities practically do not cooperate with Western law enforcement agencies, and hackers hardly need to fear arrest and extradition.
Let me remind you that we also talked about the Australian mined cryptocurrency on CSIRO supercomputer.