Over 50K servers infected to mine TurtleCoin cryptocurrency in Nansh0u campaign

• The campaign has impacted MS-SQL and PHPMyAdmin servers.
• The servers belong to companies in the healthcare, telecommunications, media, and IT sectors.

A fresh wave of attacks against MS-SQL and PHPMyAdmin servers has been detected worldwide. Termed as Nansh0u, the campaign has been launched with the quest for cryptocurrency.

What’s the matter?

Researchers from Guardicore Labs have revealed that over 50,000 servers belonging to companies in the healthcare, telecommunications, media, and IT sectors have been compromised in a new Chinese-based campaign. The Windows MS-SQL and PHPMyAdmin servers are being targeted to infect them with malicious payloads.

The payloads, in turn, drop a crypto-miner and a sophisticated kernel-mode rootkit on to the victims’ machines. The rootkit helps prevent the cryptominer from being terminated.

How widespread is Nansh0u campaign?

During the investigation, researchers witnessed the release and deployment of 20 different payload versions throughout the campaign.

According to Guardicore Labs’ researchers, the Nansh0u campaign is not just a typical cryptomining attack. It uses techniques such as fake certificates and privilege escalation exploits to launch the attack.

“While advanced attack tools have normally been the property of highly skilled adversaries, this campaign shows that these tools can now easily fall into the hands of less than top-notch attackers,” said the researchers in a blog post.

The campaign has been ongoing since February 2019. However, it was first noticed in April 2019.

“In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had their source IP addresses originating in South-Africa and hosted by VolumeDrive ISP (see IoCs). The incidents shared the same attack process, focusing on the same service and using the same breach method and post-compromise steps,” researchers explained.

How does the campaign operate?

The attackers used five attack servers and six connect-back servers to perform the Nansh0u campaign.

Once a victim server was identified via port scanners, the threat actors would first attempt to access the systems through MS-SQL brute force attack tools.

In many cases, the technique has proved to be successful, giving the attackers access to an account with administrative privileges. The credentials are later saved by the attackers for future use.

After a successful hack, the threat actors obtain the IP addresses, ports, usernames and passwords of vulnerable servers. This would allow them to tamper with the settings and create a Visual-Basic script file on the servers to download malicious payloads.

What vulnerability is exploited?

The payloads make use of a CVE-2014-4113 vulnerability that impacts win32k.sys component in specific versions of Microsoft Windows. This includes Windows Server 2003 SP2, Vista SP2, Server 2008 SP2, Server 2008 R2 SP1, 7 SP1, 8, 8.1, Sever 2012 Gold, Server 2012 R2, RT Gold and RT 8.1.

The vulnerability, if exploited, can permit privilege escalation to attackers via a crafted application.

What do the payloads do?

The malicious payloads installed on the victims’ systems are used to download a kernel-mode rootkit to maintain persistence and a cryptominer to mine cryptocurrency. In order to prevent detection, the kernel-mode rootkit comes signed by Verisign. In addition, the driver is also protected with VMProtect in order to make reverse engineering the software difficult.

The bottom line

Going by the attackers’ certificate and the use of EPL programming language, it is believed that Nansh0u has originated from China. In addition, some of the file servers used during the campaign are based in Chinese. Researchers have also identified that many of the log files and binaries used in the campaign contain Chinese strings.