Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.
The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.
UPCOMING WEBINAR
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
Save My Seat!The attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner.
Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges.
In the background, the payload leverages a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.
"Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version."
The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoin cryptocurrency.
Besides this, the malware also protects its process from terminating using a digitally-signed kernel-mode rootkit for persistence.
"We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology."
Researchers have also released a complete list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.
Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, admins are advised to always keep a strong, complex password for their accounts.
