The Nansh0u campaign: Cryptojacking medical computing power

The Nansh0u campaign: Cryptojacking medical computing power

On 29 May 2019 security researchers published about a malware that allegedly infected over 50.000 MS-SQL and PHPAdmin servers around the world since February of that year. This malware was Nansh0u, which is a cryptomining malware (CERT-EU, n.d.). It is believed Nansh0u is a China-based malware campaign. It’s name is derived from a string found in a text file on a server that the attacker or attackers used (Harpaz & Goldberg, 2019).

As is characteristic of crypotminers or cryptojackers, Nansh0u hijacked computing power of the servers it infected. In this case, it was to mine TurtleCoin (TRTL), a privacy-focused open source cryptocurrency (CERT-EU, n.d.; Harpaz & Goldberg, 2019). Additionally, servers were infected with malicious payloads, which installed a sophisticated rootkit to prevent the malware itself being interrupted (Harpaz & Goldberg, 2019; Tarsitano, 2019). Because of this, it is believed that cyberespionage or sabotage may have been part of the motivation behind Nansh0u.

The process for making cryptocurrency is complicated and time-consuming; it requires high amounts of computing power. Access to this computing power is expensive, due to hardware costs and the costs of energy consumption (Walker, Shepherd, & Afifi-Sabet, 2019). Hackers aim to gain access to servers and computers of both organisations and individuals to avoid these costs.

In this case, the affected servers belong to healthcare organisations, telecom and media businesses, and IT companies. These are all organisations that have high computing capabilities in house, making them highly attractive targets to hackers wanting to mine cryptocurrencies (Harpaz & Goldberg, 2019; Walker et al., 2019).

Nansh0u made use of a port scanner to scan IP addresses, testing whether the machine on that IP address was a MS-SQL server, and then probing to see whether typical MS-SQL ports were open (Harpaz & Goldberg, 2019). This particular scanner was known since 2014, which suggests that organisations should have had time to secure their servers.

Another issue that increased Nansh0u’s effectiveness was due to the weakness of the access credentials used on the servers. Access to the identified servers was gained through brute force, meaning the cryptoware used thousands of common login credentials to gain access (Harpaz & Goldberg, 2019). A relatively simple but effective method.

The case of Nansh0u highlights the importance of remaining up-to-date on security events and to update security measures on servers. This case also shows the importance of creating unique and hard to crack login credentials.


CERT-EU. (n.d.). Hackers infected over 50K Windows MS-SQL and PHPMyAdmin servers worldwide with cryptomining malware. Retrieved 30 September 2019, from CERT-EU Monitor website:

Harpaz, O., & Goldberg, D. (2019, May 29). The Nansh0u Campaign: Hackers Arsenal Grows Stronger. Retrieved 30 September 2019, from Guardicore – Data Center and Cloud Security website:

Tarsitano, P. (2019, May 30). Nansh0u, il cryptojacking che ha già infettato 50.000 server MS-SQL e PHPMyAdmin: tutti i dettagli. Retrieved 30 September 2019, from Cyber Security 360 website:

Walker, D., Shepherd, A., & Afifi-Sabet, K. (2019, June 25). What is cryptocurrency mining? Retrieved 30 September 2019, from IT PRO website: