Nansh0u cryptomining malware hits 50,000 servers

News by Robert Abel

Researchers describe it as more than just a typical cryptomining attack due to its use of fake certificates and privilege escalation exploits

A China-based cryptomining malware campaign dubbed Nansh0u has targeted and infected up to 50,000 servers Windows MS-SQL and PHPMyAdmin servers worldwide.

Guardicore researchers disclosed in a blog post on 29 May that the campaign took place between 26 February and 11 April. The researchers described it as more than just a typical cryptomining attack due to its use of fake certificates and privilege escalation exploits.

When the attacks were first spotted, all three had source IP addresses originating in South-Africa and hosted by VolumeDrive ISP. In addition, the incidents shared the same attack process, focusing on the same service and using the same breach method and post-compromise steps. 

Researchers spotted 20 versions of malicious payloads and said new payloads are created at least once a week and are used immediately after their creation time in attacks that have targeted companies in the healthcare, telecommunications, media and IT sectors.

Once a server is compromised, the targeted servers are infected with malicious payloads that drop a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

The attackers servers were all running  HFS – HTTP File Server – serving files of different types while their infrastructure contained all the modules required for a successful, end-to-end attack on MS-SQL servers including a Port Scanner, MS-SQL brute-force tool, and remote code executor. 

The threat actor also used privilege escalation exploits, multiple payloads including rootkit droppers and miners, and kernel-mode driver all demonstrating how attackers don’t need to be nation-state actors to use top level weapons. 

"This campaign was clearly engineered from the phase of IPs scan until the infection of victim machines and mining the crypto-coin," researchers said in the post. "However, various typos and mistakes imply that this was not a thoroughly-tested operation."

One of the mistakes was a mismatch in two versions of the lcn.exe payload that were both running the same miner but with swapped command-line arguments. This suggests that the first one was providing the wallet address in an incorrect position, researchers said.

The researchers then contacted the hosting provider of the attack servers as well as the issuer of the rootkit certificate, which lead to the malicious servers being taken down and the certificate was revoked.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews