Home Malware Programs Malware Nansh0u Miner

Nansh0u Miner

Posted: May 30, 2019

Trojanized cryptocurrency miners are involved in elaborate, large-scale cyber attacks rarely, but it would appear that the authors of the Nansh0u Miner are trying to change this by using state-of-the-art propagation techniques paired with the use of a neat rootkit to gain persistence on the infected machines. The first traces of the Nansh0u Miner’s activity were seen in the early days of February, but the campaign’s reach has expanded dramatically since then – the most recent numbers show that over 50,000 systems might have been infected by the Nansh0u Miner.

Unlike many other Trojan miners, this one does not rely on mining a popular cryptocurrency and, instead, its authors have opted to mine for the rather obscure ‘TurtleCoin.’ However, this does not mean that the miner’s actions are less harmful than usual, since it will still utilize a large portion of the available CPU resources to solve complex computational problems, and the blockchain will reward it will TurtleCoin in return.

The attackers have infected over 50,000 computers by scanning the Internet for open ports used by the MS-SQL and PHPMyAdmin services – if an accessible service is found, their bot will try to log-in using tens of thousands of pre-defined credentials automatically. All successful attempts are saved to a log file, which is then used to access the exposed servers and plant a version of the Nansh0u Miner on them manually.

In addition to setting up the miner, the attackers also may modify the Windows Registry to gain persistence, and place a kernel-mode driver signed by Certificate Authority Verisign and issued to the name of a fake Chinese company. The purpose of the kernel-mode driver is to protect the miner from being terminated, and ensure that it will fire up again as soon as it is stopped immediately. The bogus certificate has been revoked by Verisign so that this is likely to slow down the attackers’ campaign a bit.

The removal of the Nansh0u Miner and the rootkit that accompanies it can be completed with the use of a reputable and updated antivirus scanner. The infection vector that the attackers use serves as a good reminder of why it is important to secure all network-connected services and software with a strong password that cannot be brute-forced.

Loading...