As many as 50,000 servers worldwide have allegedly been infected with an advanced cryptojacking malware that mines the privacy-focused open source cryptocurrency turtlecoin (TRTL). The news was revealed in an analysis by international hacker and cybersecurity expert group Guardicore Labs on May 29.
As reported, cryptojacking is an industry term for stealth crypto mining attacks which work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.
Having first detected the campaign in April and traced its origins and progress, Guardicore Labs believes the malware has infected up to 50,000 Windows MS-SQL and PHPMyAdmin servers over the past four months worldwide. The analysts backdated attacks to late February, noting the campaign’s precipitous expansion at a rate of over “seven hundred new victims per day.”
Between April 13 and May 13, the number of infected servers reportedly doubled to hit 47,985.
Guardicore Labs notes that the malware campaign is not a regular typical crypto-miner attack, as it relies on techniques commonly seen in advanced persistent threat groups, including fake certificates and privilege escalation exploits.
The researchers have nicknamed the campaign “Nansh0u,” after a text file string ostensibly used in the attacker’s servers. It is believed to have been devised by sinophone threat actors, as the tools in the malware were reportedly written in the Chinese-based programming language EPL. Moreover, a number of log files and binaries on the servers reportedly included Chinese strings. As the analysis explains:
“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
In terms of geographic spread, the majority of targeted victims were reportedly in China, the United States and India — although the campaign is thought to have diffused across as many as 90 countries. The exact profitability of the cryptojacking is more difficult to ascertain, the report notes, as funds mined are in the privacy coin turtlecoin.
In a warning to organizations, the researchers underscored that “this campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows.”
The privacy-centric coin monero (XMR) has historically been particularly prevalent in cryptojacking campaigns, with researchers reporting in mid-2018 that around 5% of the currency in circulation had been mined through malware.
A potential switch for XMR to a new proof-of-work algorithm this October would ostensibly make it harder to conceal malicious mining attempts.