Recently, Sophos security researchers disclosed additional details about the crypto-miner called MrbMiner, describing its modus operandi. MrbMiner botnet came into the limelight first in September 2020 while launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to administrator accounts with various weak passwords.
What does the report say?
Sophos has analyzed malware payloads, domain data, and server information and found several clues that link the operators of the MrbMiner botnet to a legitimate Iranian business.
- The origin of the botnet is connected to a domain vihansoft[.]ir, registered to a small boutique software development company operating from the city of Shiraz, Iran. The domain’s owner was implicated in spreading the malware.
- The attackers have misused the server hosting service of vihansoft[.]ir to host multiple MrbMiner domains to host the crypto miner payloads.
- Besides, the vihansoft[.]ir domain was used as the C&C and payload server for the MrbMiner operation.
Recent cryptojacking attacks
A few days ago, TeamTNT botnet was discovered stealing Docker API logins and AWS credentials, in addition to deploying the XMRig mining tool to mine Monero cryptocurrency.
- In December, a Linux-based cryptocurrency mining botnet named PGMiner was seen exploiting a disputed PostgreSQL RCE vulnerability.
- In the same month, the Bismuth APT group was observed using crypto-mining campaigns to hide the purpose of its activity and avoid triggering high-priority alerts.
Threat actors have swiftly followed the rising value of cryptocurrencies to make money. Advanced feature-embedded crypto-mining malware and custom cryptojacking tools are becoming major threats to many corporations and infrastructure around the world. Furthermore, the use of web hosting capabilities of legitimate businesses to create a dead drop demonstrates the evolving cryptojacking tactics that need immediate attention from cybersecurity agencies and professionals.