Guardicore Labs: Turtlecoin (TRTL) Privacy Token at Heart of Cryptojacking Malware on 50,000 Servers
A recent analysis made by the cybersecurity group Guardicore Labs has discovered that as many as 50,000 servers around the world are currently infected with a malware that is being used for cryptojacking. These machines were mining a crypto called Turtlecoin (TRTL).
In case you are not familiar with cryptojacking, you should that it is what happens when criminals use malware to take the computer of the victims to mine tokens from victim’s computing power using stealth techniques.
According to the most recent reports, the campaign was detected originally back in April and it has infected several computers using Windows MS-SQL and PHPMyAdmin servers during this time. The attacks started in February, so they passed over a whole month undetected and affected several hundred machines on a daily basis.
Between the month comprised within April 13 and May 13, the malware was responsible for reaching 48,000 servers. Guardicore Labs affirmed that the campaign was not very typical this time, however, and it had several differences when compared to some other recent infections.
For instance, this one relied heavily on common tactics which are considered very advanced such as privilege escalation exploits and also faking certificates.
The campaign, which was nicknamed Nansh0u, is believed to have been created by Sinophone threat actors who exploited several problems in the system. For instance, the language that is used in the code is based on Chinese, which helped to give away the location of the attackers.
An analyst from the group explained that most of the machines affected were linked to services like the media, telecom, healthcare and IT. As soon as they were compromised by the attackers, a very sophisticated kernel-mode rootkit would be used in order to prevent the malware from actually being terminated.
Most of the victims were from three countries: China, India and the United States, which makes sense since these are three countries which are very big. Despite these being the main targets, over 90 countries were affected at some level.
The researchers were unable to determine how profitable the operation has been. The main reason for that is because of the large scale of the whole operation and because the funds were mined using a privacy coin instead of something like Bitcoin.
The final conclusion of the researchers is that this campaign can be seen as a great example of how weak passwords are still one of the weakest links in attacks these days as they are considerably easy to hack.
As you may actually know, most of the attacks today are based on Monero (XMR). This privacy coin is the most popular one so far and researchers affirmed that at least 5% of the total Monero supply until today was mined using malware.
After Coinhive was shut down recently, the number of cryptojacking malware based on Monero decreased a little bit. However, it is important to notice that this is still the number one token to be used in this kind of operation.