In line with a recent ‘research report‘ published by cybersecurity expert group ‘Guardicore Labs’, around 50,000 servers globally have been allegedly infected with an advanced ‘cryptojacking‘ malware that mines the privacy-focused cryptocurrency named ‘Turtlecoin’ [TRTL].
Cryptojacking is an industry term for hidden crypto ‘mining‘ attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the knowledge of its owner.
Having initially detected the campaign earlier in April and identified its origins and progress, Guardicore Labs revealed that the malware has infected upto around 50,000 Windows MS-SQL and PHPMyAdmin servers over the past 4 months globally. The analysts back-dated attacks to late Feb., outlining that the campaign’s precipitous growth at a rate of over “seven hundred new victims per day.”
Between 13th April to 13th May, the amount of infected servers reportedly doubled to hit 47,985 in number.
Guardicore Labs added that the malware campaign isn’t a formal typical of crypto-miner attack, as it relies on techniques usually seen in advanced persistent threat teams, as well as faux certificates and privilege hiked exploits.
The researchers have nicknamed the campaign “Nansh0u,” after a text file string ostensibly utilized in the attacker’s servers. It’s believed to have been devised by sinophone threat actors, as the tools within the malware were reportedly written in the Chinese-based programming language named ‘EPL’. Moreover, several other log files and binaries on the servers reportedly enclosed Chinese strings.
Explaining further, the analysis adds:
“Breached machines embrace over 50,000 servers that belong to several corporations within the health-care, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed in a complex kernel mode rootkit to forestall the malware from being terminated.”
In terms of geographic expansion, the bulk of targeted victims were reportedly in China, the U.S. and India – though the campaign is assumed to have diffused around 90 countries. However, the precise profitability of the cryptojacking is more harder to ascertain, the report adds, as funds mined are within the privacy coin ‘Turtlecoin’.
Within a warning to organizations, the researchers underscored that “this campaign demonstrates again that most common passwords still comprise the weakest link in today’s attack flows.”
The privacy-focused coin Monero [XMR] has earlier been significantly prevailing in cryptojacking campaigns, with researchers ‘reporting‘ in the December 2018 that about 90% of the currency in circulation had been already mined via malware.
A potential switch for Monero to a new PoW [proof-of-work] algorithm later this Oct. would ostensibly make it more ‘durable to conceal malicious mining attempts‘.