Researchers at Guardicore Labs have released a comprehensive report on a global cryptojacking campaign targeting Windows MS-SQL and PHPMyAdmin servers.
The malicious campaign, dubbed Nansh0u, is reportedly being conducted by a Chinese APT-style hacking group that has infected nearly 50,000 servers and is installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.
The campaign, which dates back to February 26 but was detected for the first time in early April, has been discovered to deliver twenty distinct payload variants hosted by various hosting providers.
After locating publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner, the attack employs brute force.
After authenticating successfully with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download a malicious payload from a remote file server and execute it with SYSTEM privileges.
The payload uses a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on compromised systems.
“The exploit uses this Windows privilege to inject code into the Winlogon process. The injected code generates a new process that inherits Winlogon SYSTEM privileges and possesses the same permissions as the previous version.”
On compromised servers, the payload then installs cryptocurrency mining malware to mine TurtleCoin cryptocurrency.
In addition, the malware prevents its process from terminating by utilizing a digitally-signed kernel-mode rootkit.
“The driver was found to have a digital signature issued by the leading Certificate Authority Verisign. The expired certificate bears the name of a fraudulent Chinese company, Hangzhou Hootian Network Technology.”
Researchers have also released a comprehensive list of indicators of compromise (IoCs) and a free PowerShell-based script that Windows administrators can use to determine whether or not their systems are infected.
Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, administrators should always use strong, complex passwords.