Security News > 2021 > January > MrbMiner Crypto-Mining Malware Links to Iranian Software Company
A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server databases has now been linked to a small software development company based in Iran.
First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.
The name "MrbMiner" comes after one of the domains used by the group to host their malicious mining software.
"The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner's configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran.".
MrbMiner sets about its task by carrying out brute-force attacks against the MSSQL server's admin account with various combinations of weak passwords.
One of the domains in question, "Vihansoft[.]ir," was not only registered to the Iranian software development company but the compiled miner binary included in the payload left telltale signs that connected the malware to a now-shuttered GitHub account that was used to host it.