Nansh0u malware breaches thousands of PHPMyAdmin and MS-SQL servers

Windows MS-SQL and PHPMyAdmin based servers are taken over by Nansh0u malware

Chinese criminals spread Nansh0u to mine TurtleCoin

Guardicore cybersecurity researchers released a report that detailed a new malware campaign dubbed Nansh0u. This malware is linked to Windows MS-SQL and PHPMyAdmin-based machines, and over 50,000 computers running these servers have been breached. Currently, security experts believe that strain originates from China.

They found that the certificate that the hackers have been using to pass required security checks comes from a non-existing Chinese organization, which goes under name Hangzhou Hootian Network Technology. What is more, researchers discovered that the programming language bad actors used is known as EPL, which also comes from China.

Nevertheless, two features are not the only ones that relate to China. Researchers found that malware-related servers included Chinese log files and binaries:^[1]

Many log files and binaries on the servers included Chinese strings, such as 结果-去重复 (“duplicates removed”) in logs containing breached machines, or 开始 (“start”) in the name of the script initiating port scans.

The malware aims to mine TurtleCoin after infiltrating the targeted system remotely

The Nansh0u campaign is supposed to secretly install a cryptocurrency mining program that aims to collect TurtleCoin by using the infected system. Also, this malware is capable of gaining revenue from an open-source Monero cryptocurrency mining script that is known as XMRig.^[2]

According to the latest news, this type of campaign has surfaced on February 26, 2019, but was spotted only in April, which gave some time for the Chinese hackers to distribute their cryptocurrency mining malware. This threat can deliver 20 different types of malicious code variants that are used to brutally infiltrate low-security Windows MS-SQL and PHPMyAdmin-based machines.

What is so complex about this cryptocurrency miner is its capability to avoid elimination from the infected machines. This can be accomplished when the APT-based Chinese cybercriminal group launches a complex kernel-mode rootkit straight into the targeted system.

Nevertheless, the driver is known to be marked by Verisign certificate, which means that it can look legitimate and can easily be distributed and successfully pass all necessary security checks.^[3] After that, attackers log into the targeted system by using administrative privileges and continue by launching several MS-SQL commands and collecting IPs, usernames, and passwords.

Bad actors use the CVE-2014-4113 vulnerability to gain system privileges

Gaining remote access allows bad actors to install the malicious payload by manipulating the administrative privileges that they have gained. However, attackers behind Nansh0u work a bit differently. These people also run specific processes in the background which relate to the CVE-2014-4113 flaw^[4] which allows hackers to gain system-based priority on the infected machines. This vulnerability has been known since 2014 for affecting the win32k.sys component on Windows servers such as:

• Windows 8.
• Windows 8.1.
• Windows Server 2012 Gold and R2.
• Windows RT Gold and 8.1.
• Windows Server 2008 SP2 and R2 SP1.
• Windows Vista SP2.
• Microsoft Windows Server 2003 SP2.

Guardicore advises all users to create more complex and strong usernames/passwords in order to decrease the risk of Nansh0u malware attack as the main target is MS-SQL and PHPMyAdmin server-based machines that include weak login details. Furthermore, experts have created a list of indicators of compromise^[5] and a script^[6] that gives permission to Windows admins to check for possible infection by this malware.