50k Servers Infected with Cryptomining Malware in Nansh0u Campaign

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,003
Up to 50,000 servers were infected over the past four months as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries.

Researchers with Guardicore Labs, who disclosed the campaign Wednesday, said that the Nansh0u campaign (named due to a text file string in the attacker’s servers being called Nansh0u) is “not another run-of-the-mill mining attack.”

The cryptomining malware, which targets an open source cryptocurrency called TurtleCoin, is being spread via a sophisticated campaign relying on techniques often utilized by advanced persistent threat (APT) groups, such as using certificates and 20 different payload versions.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors,” researchers said in an analysis. “Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top