A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server (MSSQL) databases has now been linked to a small software development company based in Iran.
The attribution was made possible due to an operational security oversight, said researchers from cybersecurity firm Sophos, that led to the company's name inadvertently making its way into the cryptominer code.
First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.
The name "MrbMiner" comes after one of the domains used by the group to host their malicious mining software.
"In many ways, MrbMiner's operations appear typical of most cryptominer attacks we've seen targeting internet-facing servers," said Gabor Szappanos, threat research director at SophosLabs.
"The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity. Many of the records relating to the miner's configuration, its domains and IP addresses, signpost to a single point of origin: a small software company based in Iran."
MrbMiner sets about its task by carrying out brute-force attacks against the MSSQL server's admin account with various combinations of weak passwords.
mrbminer crypto mining malware links iranian software company
