A China-based cryptomining malware campaign dubbed Nansh0u has targeted and infected up to 50,000 servers Windows MS-SQL and PHPMyAdmin servers worldwide.
Guardicore researchers disclosed the campaign which took place between February 26 and April 11 of this year, in a May 29 blog post and described it as more than just a typical cryptomining attack due to its use of fake certificates and privilege escalation exploits.
When the attacks were first spotted all three had source IP addresses originating in South-Africa and hosted by VolumeDrive ISP. In addition, the incidents shared the same attack process, focusing on the same service and using the same breach method and post-compromise steps
Researchers spotted 20 versions of malicious payloads and said new payloads are created at least once a week and are used immediately after their creation time in attacks that have targeted companies in the healthcare, telecommunications, media and IT sectors.
Once a server is compromised, the targeted servers are infected with malicious payloads that drop a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.
The attackers servers were all running HFS – HTTP File Server – serving files of different types while their infrastructure contained all the modules required for a successful, end-to-end attack on MS-SQL servers including a Port Scanner, MS-SQL brute-force tool, and remote code executor.
The threat actor also used privilege escalation exploits, multiple payloads including rootkit droppers and miners, and kernel-mode driver all demonstrating how attackers don’t need to be nation-state actors to use top level weapons.
“This campaign was clearly engineered from the phase of IPs scan until the infection of victim machines and mining the crypto-coin,” researchers said in the post. “However, various typos and mistakes imply that this was not a thoroughly-tested operation. ”
One of the mistakes was a mismatch in two versions of the lcn.exe payload that were both running the same miner but with swapped command-line arguments. This suggests that the first one was providing the wallet address in an incorrect position, researchers said. .
Fortunately, the researchers contacted the hosting provider of the attack servers as well as the issuer of the rootkit certificate which lead to the malicious servers being taken down and the certificate was revoked.