RootKit malware infects thousands of MS-SQL & PHPMyAdmin Servers


More than 50,000 MS-SQL and PHPMyAdmin were corrupted by Chinese hackers,
exploiting a TurtleCoin production from the group called Nansh0u.

This mass violation has been discovered since the beginning of April 2019, while this campaign has started its work since 26 February 2019.

This attack was aimed at RootKit malware infected with a large number of servers, located throughout the world belonging to different companies in the wider industry sectors.

“During our investigations, we found 20 different versions of payloads infected, with a payload at the beginning of each week used for bad purposes the hackers used five attack servers at the same time, “Guardicore said after the discoveries they made on their laboratories.

Guardianship team investigators discovered the following details after the conducted analysis:

  • Execution of Cyrpto-Currency Miner;
  • Creating new rolls in the registers using run-keys;
  • Protect mining process by using kernel-mode rootkit;
  • Ensure the execution of the miners on a continuous basis by means of an overhaul mechanism;

Many of the payloads on the infected servers hacked a driver called VMProtect-obfuscated kernel-mode, to avoid detection by most anti-virus search engines.

Also in this process was used a revoked certificate issued by a Chinese company called Hangzhou Hootian Network Technology.


Please enter your comment!
Please enter your name here