Chinese hackers compromised upwards of 50,000 MS-SQL and PHPMyAdmin as part of a large-scale cryptojacking drive called Nansh0u.

The malicious campaign is allegedly being conducted by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are connecting a classy kernel-mode rootkit on compromised systems to avert the malware from being completed.

The campaign, which was first spotted in early-April, has been found bringing 20 different payload versions hosted on numerous hosting providers.

The attack depends on the brute-forcing technique after finding openly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner.

Upon successful login verification with administrative rights, attackers perform a sequence of MS-SQL commands on the compromised system to download spiteful payload from a remote file server and run it with SYSTEM privileges.

In the background, the payload influences a known privilege increase susceptibility (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

“Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version.”

The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoin cryptocurrency.

Additionally, the malware also guards its process from sacking using a digitally-signed kernel-mode rootkit for perseverance.

“We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology.”

Researchers have also released a comprehensive list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.

Since the attack depend on a feeble username and password combinations for MS-SQL and PHPMyAdmin servers, admins are directed to always keep a robust, complex password for their accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *