PHPMyAdmin and MS-SQL servers infected with crypto coin rootkit

Over 50,000 servers around the world have been infected with crypto-coin-mining malware scripts attacking Windows MS-SQL and PHPMyAdmin worldwide.

The exploit was disovered by Guardicore labs who have dubbed it Nansh0u. The malicious campaign is reportedly being carried out by a Chinese hacking group who has are also installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.

The attack itself uses relatively low-tech methods to get into the targeted boxes. The attack server first scans for servers with open SQL Server ports and then attempts to brute-force the password. Upon successful login authentication with administrative privileges, the attackers execute a sequence of MS-SQL commands on the compromised system to download a malicious payload from a remote file server and run it with SYSTEM privileges to implant a kernel-mode rootkit to prevent the malware from being terminated on the victim server.

In the background, the payload leverages a known “elevation of privilege” escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version.

The payload then installs a cryptocurrency mining malware on compromised servers that mines TurtleCoin cryptocurrency in the background.

The Guardicore team found that the malware had used cryptographically signed driver-level rootkits that were last spotted as part of sophisticated Beijing-backed hacking operations.

We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology. In addition, the driver supports practically every version of Windows from Windows 7 to Windows 10, including beta versions. This exhaustive coverage is not the work of a hacker writing a rootkit for fun.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, administrators are advised to always keep a strong, complex password for their accounts.

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
close-link