More than 50,000 servers running the popular Windows MS-SQL and PHPMyAdmin specifications worldwide have fallen victim to a new kind of crypto-jacking malware that is believed to be originating from Chinese hackers.
Guardicore Labs, a team of international hackers and cyber-security experts has identified the malware and has reportedly been tracking its activities for the past two months.
In a report released by Guardicore on Wednesday, May 29th, the security group states that the malware has been used to infect systems belonging to companies in the healthcare, telecommunications, media and IT sectors using the hijacked processing power to mine a relatively obscure privacy-focused cryptocurrency called Turtle coin (TRTL).
Most of the reported servers currently infected have been identified to be based in China, the United States, and India. However, the researchers also report that the rest of the servers are distributed in at least 90 other countries.
“Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated,” the report read.
First noticed in April this year when the malware infected a network of servers controlled by the Guardicore Global Sensor Network (GGSN). Once the researchers identified the attack, they began tracking the malware to find out the extent if the attack and to identify the threat.
They soon found out a trail leading to the malware’s activities dating two months prior from February 26th. Over the last two months, between the dates April 13th and May 13h, the researchers report that the malware infected at least 47,985 servers expanding at a rate of over “seven hundred new victims per day.”
Detailed analysis of the threat found out that the malware is more advanced than normal crypto-jacking malware. For one, the threat is propagated through techniques such as fake certificates and privilege escalation exploits commonly used in advanced persistent threats.
The researchers identified a common phrase in the malware’s text file strings stored in the attacker’s servers – Nansh0u which also lent the researchers the name for the malware. Guardicore believes that the attackers behind the malware are Chinese Sinophone threat actors because most of the tools in the malware (i.e., payload) is written in the Chinese-based programming language EPL. The researchers also found a host of other text strings within the source files written in the Chinese language.
As quipped by the researchers, the tools that the malware employs may be tools that have been traditionally employed by higher skilled attackers but the Nansh0u campaign has proven that even lesser skilled hackers can now execute a highly sophisticated attack.
“The Nansh0u campaign is not a typical crypto-miner attack,” the report states.
The researchers have included a script for system administrators to use to scan their servers for this malware and advises those that are yet to be infected to implement stronger passwords as “this campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows.”