Malware dubbed MrbMiner targeted thousands of Microsoft SQL servers in North America, Europe and other regions over several months. Sophos researchers determined that the location of the final payload and the IP address of the downloader’s downloader pointed to a small Iranian-based software company. The malware appears to be a modified version of the XMRig malware, which has become increasingly popular among hackers as a way to mine for virtual currency, especially monero. Researchers found that a domain used during the attacks to host some of the payloads is linked to the software company in Iran.”]
Source: https://www.cuinfosecurity.com/cryptomining-campaign-linked-to-iranian-software-firm-a-15821