Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers
Chinese hackers and secretly exploited more than 50,000 MS-SQL and PHPMyAdmin for TurtleCoin as part of a large-scale crypto hacking campaign called Nansh0u.
The campaign was discovered in early April and began on 26 February. It focused on servers around the world, including companies from different sectors, with more than 700 victims a day.
According to the Guardicore Labs team which discovered the attacks, “During our investigation, we found 20 versions of malicious payloads, with new payloads created at least once a week and used immediately after their creation time,” and the hackers used “five attack servers and six connect-back servers”.
The Guardicore Labs team attributed this campaign to Chinese operators using multiple indices:
To put the Windows MS-SQL and PHPMyAdmin servers at risk, hackers have used a variety of tools, including a port scanner, an MS SQL brute force tool and a remote execution engine.
With the help of port scanner, they were able to find MS SQL servers by checking the default MS SQL ports were open. These servers would automatically be integrated into the brute force tool, which would attempt to hack the servers with thousands of frequently used credentials.
Once they breach the servers, the Nansh0u campaign operators infect them with 20 different versions of malicious data using an MS-SQL script that downloads and sends user data to vulnerable computers. An elevation of the privilege vulnerability CVE-2014-4113 has been exploited to execute payloads using SYSTEM privileges on infected servers, with each payload eliminated and executed designed as a wrapper for the execution of multiple actions.
As Guardicore researchers noted after analyzing the samples collected through the Global Guardianore sensor network (GGSN) from the attack servers, the wrappers revealed the following:
• Execute the crypto-currency miner;
• Create persistency by writing registry run-keys;
• Protect the miner process from termination using a kernel-mode rootkit;
• Ensure the miner’s continuous execution using a watchdog mechanism.
XMRig and JCE cryptocurrency companies use four data mining pools for TurtleCoin, a confidentiality-oriented cryptocurrency with fast transactions and with all private transactions, provided they are not for public.
Many of the remaining servers on infected user data have also been dropped a kernel mode driver with random names and masked VMProtect code that is not recognized by most AV engines.
The driver also signed a revoked by Verisign certificate from a Chinese company called Hangzhou Hootian Network Technology. It is to “protect processes and prevent the user from closing.
Kernel-mode driver digital signature
It also “contains additional rootkit functionality such as communicating with physical hardware devices and modifying internal Windows process objects that are unused by this particular malware.”
In addition, the kernel-mode driver, which ensures that the remote malware is not interrupted virtually all Windows versions from Windows 7 to Windows 10, including the beta versions support it.
The Guardicore Labs team provides a full list of IOC for this campaign encryption available, including Payload hashes, IP addresses used in attacks and pull Pool domains.
In addition, a PowerShell script is provided. Nansh0u campaign can be viewed on infected computers with the potential for a contaminated server to be traced.
Kevin Jones937 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.