According to cyber security lead researchers of Guardicore Labs named Ophir Harpaz and Daniel Goldberg published a report for a widely spread crypto-mining campaign called Nansh0u malware was infecting more than 50, 000 PHPMyAdmin and Windows MS-SQL servers all over the world that belongs to the different government or non-government companies in telecommunications, healthcare, IT and media sectors.
This Nansh0u Campaign actually originated on 26 February, 2019 but got detected during the beginning of April. It was believed that TurtleCoin large scale crypto-hijacking malware called Nansh0u campaign was compromised by the Chinese hackers. Some malware experts found certificates that the attackers are from non-existing Chinese organizations that comes under the company called Hangzhou Hootian Network Technology that uses the Chinese-based programming languages called EPL as a writing tool.
The Nansh0u campaign is not a typical crypto-miner attack but it uses some techniques which is often seen in APTs (Advanced Persistent Threats) like fake certificates and privilege escalation exploits. Throughout this campaign the con artists used about 20 different kinds of payloads and keep on creating at least one payload per week. And this payloads in-return drops a crypto-miner and a powerful Kernel-mode rootkit on the infected computer systems that helps in preventing the cryptominer from getting abrogated. The attackers uses two executable files like apexp.exe and apexp2012.exe for privilege escalation exploits.
Attack On MS-SQL and PHPMyAdmin Servers
The attacking procedure of the Nansh0u campaign mainly consists of only four stages that are as follows:
- Port Scan: It can detects the MS-SQL servers with port open to the Internet.
- Brute Force Tool: It breaches the MS-SQL servers by using some commonly used and weaken credentials.
- Attack: It can execute various commands on victim servers.
- Infection: It can download malicious payloads and miner from the remote file servers under the control of hackers.
In the background these payloads make use of a privilege escalation vulnerability called as CVE-2014-4113 that exploited to run the payloads on the infected win32k.sys server components by suing SYSTEM privilege which was specially developed for dropping as well as executing multiple action programs as a payload wrappers.
After finding the publicly accessible PHPMyAdmin and Windows MS-SQL servers the attackers relies on the brute-forcing techniques for port scanning. On successful authentication and administrative privileges login the attackers can easily executes its malicious MS-SQL commands on the affected computer system for downloading some malicious payload from the remote file servers.
The Nansh0u malware is silently downloads a crypto-currency mining program whose main purpose is to gather tremendous amount of TurtleCoin from the compromised computer system. And it is also capable of earning huge amount of online illegal revenue from an Open-source Monero crypto-curency mining script called XMRig.
The Guardicore’s malware resepulchers expert team discovered that after examining all the gathered samples from the GGSN which is a Guardicore Global Sensor Network from the cyber criminals servers, they concluded that the wrappers could get easily execute the crypto-currency miner. It can protect the miner procedure from being terminated by using a kernel rootkit. It may develop obstinacy by writing the registry run keys and also ensures the crypto-miner’s for constant execution by using a watchdog mechanism.
Detection And Prevention
The Nansh0u Campaign is having weak user name and passwords for authentications therefore the Guardicore researchers advised to create more strong and complex login IDs and passwords for MS-SQL ans PHPMyAdmin Servers. They also provides a free script which can allows you to check the appearance of the malicious cyber threats into the deceived computer system.
This campaign had infected thousands of servers therefore its highly recommended that all companies must protect their assets and important documents with strong credentials and network segmentation solutions.