MrbMiner Botnet Linked to Iranian Operators
MrbMiner was spotted initially by the Tencent Security team in September last year, where they said the mining botnet is operational since the summer of the same year. It starts with brute-force attacking the Microsoft SQL databases having weak passwords, and gain access. Once in, it will then set a backdoor with credentials Default as username and @fg125kjnhn987 as password. This setting is used for transporting the miner payload from various sources, like mrbfile.xyz or mrbftp.xyz. They’d then start mining cryptocurrencies using the victim’s resources for their benefit. Also Read- Best Cryptocurrency Apps For Android Today, Sophos researchers have linked the operators of this botnet to be from Iran, since they have found several clues linking the botnet to a software company in Iran’s Shiraz. They resulted in this after checking the domains the botnet is procuring the payload from, the server’s location, and the botnet’s working mechanism. Gabor Szappanos and Andrew Brandt of Sophos said, They said the domain’s payload was brought from vihansoft.ir, which is hosted on the same server that’s hosting multiple domains serving the same botnet. Also, it’s said that the server was being used as C2 for the hackers. A reason why the software company was leaving tracks could be its recklessness. Since the Iranian government isn’t going to hand over any of their citizens to western governments so easily, native hackers work almost openly. Though Sophos detected and detailed them now, it’s not going to bother their operations in any way for this.
