During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and phpMyAdmin servers worldwide. We have taken a deep look into the inner workings of the campaign – the tools in use, the vulnerabilities exploited and the extent of damage caused.

Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

Guardicore Labs witnessed the release and deployment of 20 different payload versions throughout the campaign. We contacted the hosting provider of the attack servers as well as the issuer of the rootkit certificate. As a result, the attack servers were taken down and the certificate was revoked.

The Nansh0u campaign is not a typical crypto-miner attack. It uses techniques often seen in APTs such as fake certificates and privilege escalation exploits. While advanced attack tools have normally been the property of highly skilled adversaries, this campaign shows that these tools can now easily fall into the hands of less than top-notch attackers.

In this post, we describe the attacks in detail and provide a complete IoC repository for the campaign, including a script to detect infected machines.