Nansh0u Miner Description
Trojanized cryptocurrency miners are involved in elaborate, large-scale cyber attacks rarely, but it would appear that the authors of the Nansh0u Miner are trying to change this by using state-of-the-art propagation techniques paired with the use of a neat rootkit to gain persistence on the infected machines. The first traces of the Nansh0u Miner’s activity were seen in the early days of February, but the campaign’s reach has expanded dramatically since then – the most recent numbers show that over 50,000 systems might have been infected by the Nansh0u Miner.
Unlike many other Trojan miners, this one does not rely on mining a popular cryptocurrency and, instead, its authors have opted to mine for the rather obscure ‘TurtleCoin.’ However, this does not mean that the miner’s actions are less harmful than usual, since it will still utilize a large portion of the available CPU resources to solve complex computational problems, and the blockchain will reward it will TurtleCoin in return.
The attackers have infected over 50,000 computers by scanning the Internet for open ports used by the MS-SQL and PHPMyAdmin services – if an accessible service is found, their bot will try to log-in using tens of thousands of pre-defined credentials automatically. All successful attempts are saved to a log file, which is then used to access the exposed servers and plant a version of the Nansh0u Miner on them manually.
In addition to setting up the miner, the attackers also may modify the Windows Registry to gain persistence, and place a kernel-mode driver signed by Certificate Authority Verisign and issued to the name of a fake Chinese company. The purpose of the kernel-mode driver is to protect the miner from being terminated, and ensure that it will fire up again as soon as it is stopped immediately. The bogus certificate has been revoked by Verisign so that this is likely to slow down the attackers’ campaign a bit.
The removal of the Nansh0u Miner and the rootkit that accompanies it can be completed with the use of a reputable and updated antivirus scanner. The infection vector that the attackers use serves as a good reminder of why it is important to secure all network-connected services and software with a strong password that cannot be brute-forced.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Nansh0u Miner may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.