Browser automation script.
More than 50,000 servers around the world have been infected with malware that installs crypto-coin-mining scripts and advanced rootkits, it is claimed.
Known as Nanshou, the software nasty, we’re told, infects machines by brute-forcing Microsoft SQL Server account passwords and using known exploits to elevate its privileges. It then drops onto the compromised Windows systems one of 20 different payloads, each including versions of a coin-mining tool and a kernel-mode rootkit that gives the mining software the ability to run without the threat of being detected or terminated by an administrator or security software.
The Guardicore Labs researchers who say they discovered the campaign reckoned this week that Nanshou is particularly noteworthy in its use of rootkit tools and techniques that had previously only been seen wielded by the Chinese government’s hacking crews. It is believed someone, or some group, in China, possibly run-of-the-mill criminals, have obtained these tools and used them against thousands of servers dotted around the planet.
“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads,” wrote Guardicore bug-hunters Ophir Harpaz and Daniel Goldberg.
“These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
The attack itself uses relatively low-tech means to get into the targeted boxes. The attack server first scans for servers with open SQL Server ports then attempts to brute-force the password and, from there, run commands and elevation of privilege exploits in order to get system rights and implant the rootkit on the victim server.
The payload itself is what caught the eye of the researchers. In particular, the Guardicore team found that the malware had used cryptographically signed driver-level rootkits that were last spotted as part of sophisticated Beijing-backed hacking operations. The software nasty’s central command-and-control server has since been disabled, and its code-signing certificate revoked.
“Obtaining a signed certificate for a packed driver is not at all trivial and requires serious planning and execution,” Harpaz and Goldberg explained.
“In addition, the driver supports practically every version of Windows from Windows 7 to Windows 10, including beta versions. This exhaustive coverage is not the work of a hacker writing a rootkit for fun.”
At the same time, the group behind Nanshou also made some rookie mistakes that suggest they weren’t the same people who developed the more advanced code found in the rootkits. In particularly, the operator failed to put any sort of security in front of the one command and control server they used to run the entire operation.
“Logs, victims lists, usernames, binary files – we had them all in a mouse click,” the malware detectives mused.
“In addition, all binary files had their original timestamps; an experienced malware author would have tampered with those to complicate the analysis process.”
The big takeaway from the report, other than a reminder not to use common passwords that can be brute-forced, is that the tools used by Chinese state hackers have now made their way into the hands of the country’s cybercrime operators. ®