Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.
Ophir Harpaz and Daniel Goldberg, researchers from Guardicore, said in a blog post that the so-called Nansh0u campaign is a sophisticated take on more primitive cryptocurrency mining attacks.
The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.
“The Nansh0u campaign is not a typical crypto-miner attack,” the researchers say. “It uses techniques often seen in advanced persistent threats (APTs) such as fake certificates and privilege escalation exploits.”
Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges.
The payloads makes use of CVE-2014-4113, a vulnerability first reported in 2014 which impacts win32k.sys in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1.
The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoin cryptocurrency.
And then it also drops a kernel-mode driver signed by Verisign to prevent processes — such as the miner — from being stopped. During the time the campaign was active, the Verisign sign-off ensured that the driver was deemed legitimate and would pass security checks. In addition, the driver was protected with VMProtect in order to make reverse engineering the software difficult.
Researchers have also released a complete list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.
Guardicore reached out to the hosting provider of the servers used to facilitate the attack, alongside Verisign. The servers have now been taken down and the certificate revoked, but this does not mean the campaign will not return with a fresh set of servers and a working security certificate in the future.