Delaware, USA – May 30, 2019 – More than 50 thousand Windows MS-SQL and PHPMyAdmin servers were infected with cryptocurrency mining malware during Nansh0u campaign. Guardicore Labs’ experts discovered a malicious campaign in early April and tracked its beginning to the February 26th. During the investigation, the experts discovered 20 variants of malicious payloads, the attackers released a new version almost every week. The malware was written in EPL, a Chinese-based programming language, and the logs and binaries contain Chinese text, so Guardicore Labs is sure that one of the Chinese threat actors is behind the campaign. Unlike most similar campaigns, attackers use advanced techniques that are more typical to APT groups than to ordinary cybercriminals such as privilege escalation exploits and signing payload with a digital certificate. The Nansh0u campaign’s command-and-control infrastructure consisted of six connect-back servers and five attack servers, with the help of which attackers managed to compromise more than 700 servers per day. After finding a potential victim, the adversaries first tried to get the admin access by brute-forcing MS-SCL credentials, if success, they changed server settings and created a VB script file that downloaded malicious payloads. As a result, the server became infected with a sophisticated kernel-mode rootkit and one of the cryptocurrency miners to mine TurtleCoin or Monero. Most malware samples were signed by Verisign certificate for a fake Chinese company that prevented suspicious processes from stopping.
Despite the fact that at the moment, researchers managed to temporarily stop the adversaries by disabling their C&C infrastructure and revoking certificates, but such an effective threat actor will unlikely to sit around for a long time. To spot similar attacks on your MS-SQL and PHPMyAdmin servers, you can use Brute Force Detection rule pack which analyses successful and unsuccessful authentication events from a wide variety of systems and services helping your SIEM to determine the unauthorized access attempts using various brute force techniques: https://my.socprime.com/en/integrations/brute-force-detection-arcsight