Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Nansh0u
inactive

First seen in Guardicore Centra

2019-02-26

Last seen in Guardicore Centra

2019-03-30

Nansh0u is a China-based campaign which aimed to infect Windows MS-SQL and phpMyAdmin servers worldwide. Breached machines included over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathSHA256Size

C:\ProgramData\058.exe, C:\ProgramData\apexp.exe, C:\ProgramData\can.exe

2b1c1c6d82837dbbccd171a0413c1d761b1f7c3668a21c63ca06143e731f030e

54.50 KB

C:\hex9528Srv.exe, c:\hexcesrv.exe, C:\hexceSrv.exe…

d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

83.70 KB

C:\ProgramData\dllhot.exe

15e5b1bfcd972f1d2e6c4298ed955603890d6c77f83c19591ef558a3e9606f35

4.55 MB

C:\ProgramData\apexd.exe

b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5

5.72 MB

C:\ProgramData\lt.exe

c49ff1e5b6151543346e1e9e23d3e034ffa568758f08a4dcd6bec41af9b3723e

6.02 MB

C:\ProgramData\avast.exe

c9d8852745e81f3bfc09c0a3570d018ae8298af675e3c6ee81ba5b594ff6abb8

5.80 MB

C:\ProgramData\avast.exe

350381c64073da55023db2796de64da7e53997b4a0ef76587b9f65f151da9e39

5.63 MB

C:\ProgramData\apex.exe

08427d500b0360d00f6d9e86a6f80b0c905991db5fe6f707bc8ea42663a3ef08

5.71 MB

C:\ProgramData\apexp2012.exe

01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4

148.00 KB

Attack Flow

Breached Services

MSSQL

Tags

MSSQL

Driver Start

Successful MSSQL Login

DNS Query

Persistency – Logon

IDS – Successful Administrator Privilege Gain

Download and Execute

Access Suspicious Domain

Driver Creation

Execute MsSql Shell Command

Outgoing Connection

Service Creation

CMD

File Operation By CMD

Incident Summary

A user logged in using MSSQL with the following credentials: sa / ******* – Authentication policy: White List

Successful MSSQL Login

MSSQL executed 8 shell commands

Execute MsSql Shell Command

IDS detected Successful Administrator Privilege Gain : Microsoft CScript Banner Outbound

IDS – Successful Administrator Privilege Gain

The file C:\ProgramData\apexp.exe was downloaded and executed

Download and Execute

The file C:\ProgramData\lt.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started \\c:\users\admini~1\appdata\local\temp\ebnqfp1.sys as a service named SA6482 under service group None

Driver Start

Service Creation

c:\programdata\lt.exe installed a Persistency – Logon backdoor by modifying Windows Registry

Persistency – Logon

Process c:\windows\system32\attrib.exe attempted to access domains: lokiturtle.herominers.com, pool.minexmr.com and pool.supportxmr.com

DNS Query

Process c:\windows\system32\attrib.exe generated outgoing network traffic to: 78.46.106.203:10521

Outgoing Connection

Process c:\windows\system32\attrib.exe attempted to access suspicious domains: mine.dego.c3pool.com

Outgoing Connection

DNS Query

Access Suspicious Domain

Connection was closed due to timeout