MrbMiner botnet traced back to Iranian software company

February 6, 2021
cryptojacking MrbMiner botnet Iran Vihansoft trojan Iran

With the growing followers of cryptocurrency, adversaries use different tactics to perform illegal mining activities to profit via cryptojacking. With the performance requirements needed by a database, riding to it is a great advantage that the ingenious MrbMiners has exploited. By targeting many Microsoft SQL servers via brute-force attacks, MrbMiner placed their group in the watchlists of cybercrime authorities and independent cybersecurity experts.

Cybersecurity experts began scrutinizing the data gathered from its victim’s system after being unravelled in September 2020 through its successful intrusion and large-scale cryptojacking. Fortunately, the origin of this emerging new cryptocurrency miner has been recently discovered which backed-up up their traced evidence. According to the intel gathered, MrbMiner infiltrates the targeted SQL server by exploiting the vulnerability of having weak administrator credentials.

Upon gaining access, they will execute the trojan file to initiate the process of the cryptojacking. It will also create its account for continuous access to the system. The file will then create its executable system files that mimic the original windows system services to hide its activity from manual or automatic scanning. Another feature includes auto kill process and files deleting the fake system files if an administrator opens the Task Manager to view any suspicious app or services running on the system. Aside from illegal crypto mining activity, adversaries also have a foothold on extracting sensitive data and stealth remote command and control onto the network in addition to adding the compromised network to the adversary-controlled botnet.


With rigorous tracking and data analysis, it was determined that the MrbMiner is operating, hosted, and controlled via Vihansoft – a small software development company that is situated in Shiraz, Iran.


The researchers’ unusual findings confirmed that the adversary did not exploit the host, unlike others that hack legitimate websites and companies to be their middleman. In this scenario, the owner is knowledgeable and allegedly the one behind the malicious activity.

This malicious activity is another pile that adds to the list of adversaries that cyber authorities linked with Iran. Since Iran practice impunity and on the list of embargoed countries, indicting and pressing on the suspects’ violation is difficult as such countries do not honour foreign policy and law. Furthermore, authorities believed that these adversaries are government-backed, which will make the case more impossible to pursue.

Generally, this is another wake-up call to all companies to properly secure their assets and be aware of cyberspace’s current malicious activity. Not only cryptojacking is imminent to progress when it comes to cybercrime. It is also best to anticipate more ransomware cases, data leakage, and phishing activities with the current global situation. With this, getting ahead of possible issues with network security should be on the topmost priority of every organisation, especially financial institutions as adversaries always finding ways to profit in every attack.

About the author

Leave a Reply