Nansh0u Cryptomining Campaign

Up to 50,000 servers were infected over the past four months as part of a high-profile cryptojacking campaign known as Nansh0u.

This is a cryptocurrency mining campaign that is targeting servers around the world running Microsoft SQL Server and phpMyAdmin.

The threat actors gain access to vulnerable servers using a port scanning tool and a brute force tool to login with commonly-used credentials. Scripts are then used to download and launch malicious payloads on the servers with elevated privileges by exploiting an old Windows Server vulnerability.

Each payload executes the XMRig and JCE cryptocurrency miners to produce TurtleCoin. Registry keys are then added to launch the miners at system startup. A kernel-mode rootkit is sometimes installed to prevent termination of the mining processes, and the continuous execution of the miners is monitored.

Researchers pointed to weak authentication username and passwords on Windows MS-SQL servers as a main reason behind the attack – and urged system administrators to consider strong credentials.

Indicators of Compromise

IP Addresses

  • 102.165.51[.]80
  • 102.165.51[.]106
  • 111.67.206[.]87
  • 112.85.42[.]158
  • 114.115.164[.]211
  • 119.131.209[.]186
  • 107.173.21[.]146
  • 107.173.21[.]239

URLs

  • lokiturtle.herominers[.]com
  • trtl.cnpool[.]cc
  • turtle.miner[.]rocks
  • trtl.pool.mine2gether[.]com

Filenames

  • C:\ProgramData\2.vbs
  • C:\ProgramData\apexp.exe
  • C:\ProgramData\apexp2012.exe
  • apexd.exe
  • 360protect.exe
  • avast.exe
  • canlang.exe
  • cfg.bat
  • dllhot.exe
  • kvast.exe
  • rock.exe
  • rocks.exe
  • lt.exe
  • tl.exe
  • tls.exe
  • lcn.exe
  • lolcn.exe

MD5 File Hashes

  • 1770c9bf4a41c5115425d76df052b6a2
  • 1873944ee02b9e68af2d4997da5e5426
  • 19594b72fc16539a5122217e6e3bb116
  • 1ad8d0594f9baffe332ccfefb25475df
  • 1f0606c722693c9307ebf524c53f3375
  • 1f9007fbf6a37781f7880c10fc57a277
  • 252d1721335108cdc643d36c40d4eaf6
  • 2d740789efd7f16bff42651ae69b0893
  • 3425fc4d60a7401c934c73a12a30742b
  • 3ccb047b631ed6cab34ef11ccf43e47f
  • 5899fde33dc7cf35477b998c714454eb
  • 685f1cbd4af30a1d0c25f252d399a666
  • 68862438fae4c937107999ff9d8ff709
  • 6dd0276e1f66f672e8c426c53b3125a5
  • 70857e02d60c66e27a173f8f292774f1
  • 7c4b1ebba507bc2d0085278d28a899b2
  • 82e55177fa37a34dca1375d542c06ac0
  • 876e504b8ddb231d8eeaefa2b9e38093
  • 8ca92722641c73758e5a762033e09b11
  • 93610bed2e15e2167a67c0e18fee7e08
  • 9887d95973ac89c802571c2bbd346cbf
  • b79f7a7947cb7e9ea1f0d7648e765cee
  • b9161d07b4954d071ae0f26c81e56807
  • c06c3a79f70bfd5474bab8a13acdb87e
  • c5c99988728c550282ae76270b649ea1
  • df4bacb064a4668e444fd67585ea1d82
  • e27490ae6debe3be25794b4dcbaa8e24
  • e6b9054759e4d2d10fcf42d47d9e9221

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: