Researchers Gabor Szappanos and Andrew Brandt said in a blog post that the miner was used to infect Internet-facing database servers as they had plenty of grunt.
"In many ways, MrbMiner's operations appear typical of most cryptominer attacks we've seen targeting internet-facing servers," said Szappanos.
"The difference here is that the attacker appears to have thrown caution to the wind when it comes to concealing their identity.
"In an age of multi-million dollar ransomware attacks that bring organisations to their knees it can be easy to discount cryptojacking as a nuisance rather than a serious threat, but that would be a mistake.
"Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to detect. Further, once a system has been compromised it presents an open door for other threats, such as ransomware.
"It is therefore important to stop cryptojacking in its tracks. Look out for signs such as a reduction in computer speed and performance, increased electricity use, devices overheating and increased demands on the CPU."