Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers

Guardicore Labs uncovered a widespread cryptojacking campaign tracked as Nansh0u and aimed at Windows MS-SQL and PHPMyAdmin servers.

Security experts at Guardicore Labs uncovered a widespread cryptojacking campaign leveraging a malware dubbed Nansh0u. The malicious code aimed at Windows MS-SQL and PHPMyAdmin servers worldwide.

According to the experts, the malicious campaign is being carried out by a Chinese APT group.

According to the experts Nansh0u malware has already infected nearly 50,000 servers worldwide. Threat actors also delivered a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

“During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide.” reads the report published by Guardicore.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

The attacks date back to February 26, experts observed over seven hundred new victims per day. Researchers discovered 20 versions of malicious payloads, with new payloads created at least once a week and immediately involved in the campaign after their creation time.

Threat actors use to launch brute-force attacks against previously identified Windows MS-SQL and PHPMyAdmin servers that are exposed online.

Once successfully logged in with administrative privileges, threat actors execute a sequence of MS-SQL commands that allow them to download malicious payload from a remote file server and execute it with SYSTEM privileges.

Attackers used two exploits tracked as apexp.exe and apexp2012.exe that trigger the privilege escalation vulnerability CVE-2014-4113. The exploits allow running any executable with SYSTEM privileges.

“Using this Windows privilege, the attacking exploit injects code into the winlogon process. The injected code creates a new process which inherits winlogon’s SYSTEMprivileges, providing equivalent permissions as the prior version.” continues the analysis.

The payloads used in this campaign were droppers used to deliver a cryptocurrency miner to mine TurtleCoin cryptocurrency.

Experts observed many payloads dropping a kernel-mode driver using ransom file names and placed them in AppData/Local/Temp. The compile time for these files suggests that it had been created in 2016, but most AV engines still not detect them as malicious.

The driver had a digital signature issued by the top Certificate Authority Verisign. 

“We can confidently say that this campaign has been operated by Chinese attackers.” concludes the report.

“We base this hypothesis on the following observations:

• The attacker chose to write their tools with EPL, a Chinese-based programming language.
• Some of the file servers deployed for this campaign are HFSs in Chinese.
• Many log files and binaries on the servers included Chinese strings, such as 结果-去重复 (“duplicates removed”) in logs containing breached machines, or 开始 (“start”) in the name of the script initiating port scans.”

Experts also published a list of IoCs (indicators of compromise) and a free PowerShell-based script that could be used by Windows admins to check whether their systems are infected or not.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – nansh0u malware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]