A new China-based campaign dubbed Nansh0u targets Windows MS-SQL and PHPMyAdmin servers worldwide. The attack campaign primarily targets servers belonging to the healthcare, telecommunications, media, and IT sectors.
Guardicore Labs detected the campaign at the beginning of April, but the attacks found dating back to February 26. Throughout the campaign threat actors used 20 different payloads, and they keep on creating at least one payload a week and used them immediately.
“Hackers used a combined set of five attack servers, and six connect-back servers suggests an established process of continuous development which was well thought of by the attackers.”
More than 50,000 servers breached in this campaign, once the targeted servers compromised they were infected with a malicious payload, which in turn drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.
Nansh0u campaign is not just a crypto-miner attack; hackers behind the campaign used advanced techniques followed by APTS groups such as fake certificates and privilege escalation exploits.
Attack on MS-SQL and PHPMyAdmin servers
The attack starts with a serious of login attempts targeting MS-SQL servers to gain administrator privileges. Attackers infrastructure combines the following modules to launch an attack on MS-SQL servers.
Port scanner – Used to detect MS-SQL servers running by IP and to determine MS-SQL ports status.
MS-SQL brute-force tool – Brute-force tool attempts to log in the MS-SQL server using thousands of common credentials.
Remote Code Executor – If the attacker had success with Port scan & brute-force, then the next step is to breach the server.
A privilege escalation vulnerability CVE-2014-4113 was exploited to run the programs with SYSTEM privileges.
By analyzing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.
1. Execute the crypto-currency miner;
2. Create persistency by writing registry run-keys;
3. Protect the miner process from termination using a kernel- mode rootkit;
4. Ensure the miner’s continuous execution using a watchdog mechanism.
According to Guadicore most of the payloads drop a kernel-mode driver signed with a certificate issued by Certificate Authority Verisign.
“This campaign was engineered from the phase of IPs scan until the infection of victim machines and mining the crypto-coin. However, various typos and mistakes imply that this was not a thoroughly-tested operation,” reads Guardicore report.
Researchers confidently access that Chinese attackers have operated this campaign.
- The attacker chose to write their tools with EPL, a Chinese-based programming language.
- Some of the file servers deployed for this campaign are HFSs in Chinese.
- Many log files and binaries on the servers included Chinese strings, such as (“duplicates removed”) in logs containing breached machines, or (“start”) in the name of the script initiating port scans.
- weak usernames & passwords enable this, by having a strong password, you can prevent the attack.
- Hardening the server could minimize the risks.
Guardicorereleased an open source PowerShell script to detect the infected machines.
Indicator of Compromise
|IP ADDRESS||LINK TO CTI PAGE|
|220.127.116.11||Full Threat Intel Page|
|18.104.22.168||Full Threat Intel Page|
|22.214.171.124||Full Threat Intel Page|
|126.96.36.199||Full Threat Intel Page|
|188.8.131.52||Full Threat Intel Page|
|184.108.40.206||Full Threat Intel Page|
|220.127.116.11||Full Threat Intel Page|
|18.104.22.168||Full Threat Intel Page|
- 685f1cbd4af30a1d0c25f252d399a666 xfa3BEB.tmp
- c5c99988728c550282ae76270b649ea1 DesktopLayer.exe
- 70857e02d60c66e27a173f8f292774f1 apexp.exe
- 68862438fae4c937107999ff9d8ff709 apexp2012.exe
- 3ccb047b631ed6cab34ef11ccf43e47f sisr8Aj.sys
- 1f9007fbf6a37781f7880c10fc57a277 dllhot.exe
- 5899fde33dc7cf35477b998c714454eb dllhot.exe
- 1ad8d0594f9baffe332ccfefb25475df apexd.exe
- 1873944ee02b9e68af2d4997da5e5426 avast.exe
- e6b9054759e4d2d10fcf42d47d9e9221 avast.exe
- 1770c9bf4a41c5115425d76df052b6a2 killtrtl.exe
- 2d740789efd7f16bff42651ae69b0893 kvast.exe
- 876e504b8ddb231d8eeaefa2b9e38093 kvast.exe
- e27490ae6debe3be25794b4dcbaa8e24 gold.exe
- 1f0606c722693c9307ebf524c53f3375 kvast.exe
- 19594b72fc16539a5122217e6e3bb116 avast.exe
- 6dd0276e1f66f672e8c426c53b3125a5 rock.exe
- 82e55177fa37a34dca1375d542c06ac0 rock.exe
- 7c4b1ebba507bc2d0085278d28a899b2 rocks.exe
- c06c3a79f70bfd5474bab8a13acdb87e rocks.exe
- 8ca92722641c73758e5a762033e09b11 lt.exe
- 9887d95973ac89c802571c2bbd346cbf canlang.exe
- 252d1721335108cdc643d36c40d4eaf6 lolcn.exe
- b9161d07b4954d071ae0f26c81e56807 lolcn.exe
- 3425fc4d60a7401c934c73a12a30742b lcn.exe
- 93610bed2e15e2167a67c0e18fee7e08 lcn.exe
- b79f7a7947cb7e9ea1f0d7648e765cee tl.exe
- df4bacb064a4668e444fd67585ea1d82 tls.exe