DeepSec 2019 Talk: The Turtle Gone Ninja – Investigation of an Unusual Crypto-Mining Campaign – Ophir Harpaz

Sanna/ September 20, 2019/ Conference, Security

Entrance to a W. Va. coal mine: a "drift" mine. The live-wire was only shoulder -high in places inside, and unprotected. Location: West Virginia. Source: the absence of blockchain and „crypto“ at DeepSec we have some content which covers security incidents connected to both terms. Ophir Harpaz will present her insights into an attack that is used to do „crypto“ mining. She describes what to expect in her own words:

At first sight, Nansh0u is yet another attack campaign aiming to mine a marginal crypto-currency named TurtleCoin. However, things get much more interesting once you gain full access to the attacker’s infrastructure. Our investigation revealed a complete picture of how the Nansh0u campaign operates, who the infected victims are and what advanced tools are used in the attacks. Port scanner, brute-force module, remote-code execution tool, verbose log files and tens of different malware payloads – these are only a portion of the attacker’s assets we managed to put our hands on. The real icing on the cake, however, are the signed rootkit and sophisticated privilege escalation exploits dropped onto each one of the 50k infected victim machines.
In this talk, we will walk our listeners through the Nansh0u campaign from beginning to end – starting with the port scanning phase and ending with the exploit, miner payload and rootkit running on the compromised machines. This attack pattern resembles that of many campaigns targeting data-centres nowadays. Our goal is to demonstrate how even a common Cyber criminal wishing for TurtleCoin, has access to the toolsets of an experienced Ninja-hacker.


Ophir Harpaz is a security researcher at Guardicore Labs. At work, she delves into Cyber attacks targeting data centres and analyses malware. BSc in Computer Science and Linguistics from Tel Aviv University. She also runs and maintains the popular workshop for reverse engineering newcomers.






Daniel Goldberg is a security researcher at Guardicore, where he is responsible for tracking the security intelligence, including detailed analysis of hackers’ methodologies, for use in implementing countermeasures into Guardicore products and services. Daniel has over 10 years of cyber security research experience and his research has been presented in security conferences such as Black Hat USA. He also maintains the Infection Monkey, an open source breach and attack simulation tool. 

Share this Post