Guardiola Labs Cyber Security Researchers today published a detailed report on the widespread cryptogking campaign that attacks Windows MS-SQL and PHPMyAdmin servers worldwide.

Hackers Infect

Dubbed Nanshu, the malicious campaign is being run by an APT-style Chinese hacking group. Which has already infected about 50,000 servers, and sophisticated kernel-mode on compromised systems to avoid malware? Installing rootkit.
This campaign, which starts on 26th February, but was found at the beginning of April 1st, 20 different payload editions have been distributed to different hosting providers.

The attack on the public-accessible Windows MS-SQL and PHPMyAdmin servers after using a simple port scanner depends on the attack on the animal-compelled technique.

Related: Flipboard Database Hacked

On successful login authentication with administrative privileges. The attacker executes the sequence of MS-SQL commands on the compromised system to download malicious payloads from remote file servers and run it with system privileges.

In the background, leveraging a known privilege enhancement risk (CVE-2014-4113) to gain system privileges on payload compromise systems.

“Using this Windows privilege, the attacking exploit injects the code into the Winlogon process. Inject code creates a new process that inherits Winlogon system privileges, which provides equivalent permission as a previous version.

The payload then establishes mining cryptocurrency mining malware on a server to tamper it.

In addition, malware prevents its process from being terminated by using a digitally-signed kernel-mode rootkit for firmness.

“We found that the driver had a digital signature issued by the top certificate authority Verisign. The certificate – which has expired – is the name of a fake Chinese company – Hangzhou Hutian Network Technology.”

Researchers have also released a complete list of IoCs and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.

Because the attack depends on a weak user name and password combination for MS-SQL and PHPMyAdmin servers. And Admin is advised that they always have a strong, complex password for their accounts.

Related: What is Microbiology?