Week 22, 2019

Nansh0u | Qulab | BCH | AntMiner

A relatively quiet week with several interesting research articles discussing increasingly sophisticated cryptocurrency mining and stealing malware, a detailed technical report on the BCH miner hash fight, and a fun vulnerability hunt inside AntMiner firmware.


  • The Nansh0u Campaign - Hackers Arsenal Grows Stronger - a detailed report on an advanced threat actor targeting MS-SQL and PHPMyAdmin servers. The actor is unique in their use of Easy Programming Language (EPL), a Chinese-based programming language as well as an advanced arsenal including kernel rootkits, signed backdoors with the ultimate goal of Monero mining.

  • YouTube Cryptocurrency Videos Pushing Info-Stealing Trojan - a phishing campaign on YouTube advertising “bitcoin generator” was found to be distributing a Qulab Trojan. The AutoIT-based malware has a number of features including credential harvester and a wallet clipper designed to replace cryptocurrency addresses stored in the clipboard for a number of coin types such as Bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero, and many others.

  • North Korean Hackers Target Crypto Exchange UPbit’s South Korean Users - yet another attempt to infect exchange users with a malicious payload. The attackers have attempted to obfuscate the malware from AV engines by password protecting it with the password “UPBIT”.


  • A Deep Dive into the Recent BCH Hard Fork Incident - the research article reveals additional details on the reorg event on the BCH network where a large mining pool, BTC.top, fought back against an unknown miner to recover about $1.4 million worth of BCH back to their rightful owners. As a co-author of the article we deep dive into the fascinating technical challenges that had to be solved in order to not only make previously lost funds recoverable, but also precisely calculating the equivalent non-segwit addresses to send them to.

  • Unpacking ASIC firmware: AntMiner Exploited - an interesting study into taking apart Ant miner firmware and a signature verification vulnerability that may be used to upload unsigned binaries.

That’s all for this week’s threat intelligence report. As always feel free to send any interesting blockchain security related news or suggestions on improving this newsletter.