At first sight, Nansh0u is yet another attack campaign aiming to mine a marginal crypto-currency named TurtleCoin. However, things get much more interesting once you gain full access to the attacker’s infrastructure.
Our investigation revealed a complete picture of how the Nansh0u campaign operates, which victims are in the crosshairs and what advanced tools are used in the attacks. Port scanner, brute-force module, remote-code execution tool, verbose log files and tens of different malware payloads - these are only a portion of the attacker’s assets we managed to put our hands on. The real icing on the cake, however, are the signed rootkit and sophisticated privilege escalation exploits dropped onto each one of the 50k infected victim machines.
In this talk, we will walk our listeners through the Nansh0u campaign from beginning to end - starting with the port scanning phase and ending with the exploit, miner payload and rootkit running on the compromised machines.
This attack pattern resembles that of many campaigns targeting data-centers nowadays. Our goal is to demonstrate how even a common Cyber criminal wishing for TurtleCoin, has access to the toolsets of an experienced Ninja-hacker.
Ophir Harpaz is a security researcher at Guardicore Labs. At work, she delves into Cyber attacks targeting data centers and analyzes malware. BSc in Computer Science and Linguistics from Tel Aviv University.
She also runs and maintains the popular begin.re workshop for reverse engineering newcomers.
Daniel Goldberg is a security researcher at Guardicore, where he is responsible for tracking the security intelligence, including detailed analysis of hackers' methodologies, for use in implementing countermeasures into Guardicore products and services. Daniel has over 10 years of cyber security research experience and his research has been presented in security conferences such as Black Hat USA. He also maintains the Infection Monkey, an open source breach and attack simulation tool.