50k Servers Infected with Cryptomining Malware in Nansh0u Campaign

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,122
Up to 50,000 servers were infected over the past four months as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries.

Researchers with Guardicore Labs, who disclosed the campaign Wednesday, said that the Nansh0u campaign (named due to a text file string in the attacker’s servers being called Nansh0u) is “not another run-of-the-mill mining attack.”

The cryptomining malware, which targets an open source cryptocurrency called TurtleCoin, is being spread via a sophisticated campaign relying on techniques often utilized by advanced persistent threat (APT) groups, such as using certificates and 20 different payload versions.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors,” researchers said in an analysis. “Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top