Nansh0u Miner Description
The Nansh0u Miner was first spotted back in February. It would seem that ever since then this cryptocurrency miner has been alive and well spreading to tens of thousands of computers worldwide, according to the latest estimates. The authors of the Nansh0u Miner are operating a very large campaign, and they do not seem to be diminishing speed any time soon. However, not only have the attackers spread their threat masterfully, but they have built it expertly too to the point where it could be referred to as a state-of-the-art cryptocurrency miner.
Most authors of cryptocurrency miners opt to mine for popular currencies like Bitcoin and Ethereum. However, the individuals behind the Nansh0u Miner have chosen to mine for the little-known 'TurtleCoin.' This being said, the Nansh0u Miner is just as harmful to the infiltrated system as any other cryptocurrency miner. This threat uses up the CPU of the machine and is likely to reduce the lifespan of the PC it’s exploiting greatly.
So far, the Nansh0u Miner has infected over 50,000 devices spread around nearly a hundred countries, though a larger portion of the compromised hosts is concentrated in North America and India. The attackers use a set of tools that are meant to scan the Internet for open ports used by the MS-SQL or PHPMyAdmin services, and then attempt to log in by using a list of username & password combinations set by the attackers – a basic form of brute-forcing. Whenever the bot guesses the correct username and password combination used by the host, it will save the result to a log file that the attackers later use to access the compromised system and plant the Nansh0u Miner manually.
Naturally, the Nansh0u Miner would not be considered state-of-the-art threat if the authors had not implemented measures to gain persistence. In the case of the Nansh0u Miner, this has been achieved via modifying the Windows Registry. Apart from using a Registry key to run the miner whenever Windows starts, the attackers also have taken advantage of a rootkit working as a kernel-mode driver that even has a valid certificate - issued by Certificate Authority Verisign. The certificate has been revoked already, but a large portion of the damage has been done, and it is probably a matter of time before the criminals behind the campaign get their hands on another valid certificate to help their rootkit by pass basic Window defenses.
To ensure that you do not become one of the growing number of victims of the Nansh0u Miner, it is crucial to obtain a reputable anti-malware solution and make sure you update it regularly.