PHPMyAdmin and MS-SQL servers infected with crypto coin rootkit

Over 50,000 servers around the world have been infected with crypto-coin-mining malware scripts attacking Windows MS-SQL and PHPMyAdmin worldwide.

The exploit was disovered by Guardicore labs who have dubbed it Nansh0u. The malicious campaign is reportedly being carried out by a Chinese hacking group who has are also installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.

The attack itself uses relatively low-tech methods to get into the targeted boxes. The attack server first scans for servers with open SQL Server ports and then attempts to brute-force the password. Upon successful login authentication with administrative privileges, the attackers execute a sequence of MS-SQL commands on the compromised system to download a malicious payload from a remote file server and run it with SYSTEM privileges to implant a kernel-mode rootkit to prevent the malware from being terminated on the victim server.

In the background, the payload leverages a known “elevation of privilege” escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version.

The payload then installs a cryptocurrency mining malware on compromised servers that mines TurtleCoin cryptocurrency in the background.

The Guardicore team found that the malware had used cryptographically signed driver-level rootkits that were last spotted as part of sophisticated Beijing-backed hacking operations.

We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology. In addition, the driver supports practically every version of Windows from Windows 7 to Windows 10, including beta versions. This exhaustive coverage is not the work of a hacker writing a rootkit for fun.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, administrators are advised to always keep a strong, complex password for their accounts.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.