Security News > 2021 > January > MrbMiner Crypto-Mining Malware Links to Iranian Software Company
A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server databases has now been linked to a small software development company based in Iran.
First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.
The name "MrbMiner" comes after one of the domains used by the group to host their malicious mining software.
"The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner's configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.".
MrbMiner sets about its task by carrying out brute-force attacks against the MSSQL server's admin account with various combinations of weak passwords.
One of the domains in question, "Vihansoft[.]ir," was not only registered to the Iranian software development company but the compiled miner binary included in the payload left telltale signs that connected the malware to a now-shuttered GitHub account that was used to host it.
News URL
Related news
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- New DroidBot Android malware targets 77 banking, crypto apps (source)
- Crypto-stealing malware posing as a meeting app targets Web3 pros (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)