Windows and Linux users need to beware, as an all-in-one, destructive malware strain has been discovered in the wild that features multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting Linux and Windows systems.
Dubbed XBash, the new malware, believed to be tied to the Iron Group, a.k.a. Rocke—the Chinese speaking APT threat actors group known for previous cyber attacks involving ransomware and cryptocurrency miners.
According to the researchers from security vendor Palo Alto Networks, who uncovered the malware, XBash is an all-in-one malware that features ransomware and cryptocurrency mining capabilities, as well as worm-like ability similar to WannaCry or Petya/NotPetya.
In addition to self-propagating capabilities, XBash also contains a functionality, which is not yet implemented, that could allow the malware to spread quickly within an organization's network.
Developed in Python, XBash hunts for vulnerable or unprotected web services and deletes databases such as MySQL, PostgreSQL, and MongoDB running on Linux servers, as part of its ransomware capabilities.
Xbash has been designed to scan for services on a target IP, on both TCP and UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL.
Once find an open port, the malware uses a weak username and password dictionary attack to brute force itself into the vulnerable service, and once in, deletes all the databases and then displays the ransom note.
What's worrisome is that the malware itself does not contain any functionality that would allow the recovery of the deleted databases once a ransom amount has been paid by the victims.
To date, XBash has infected at least 48 victims, who have already paid the ransom, making about $6,000 to date for cybercriminals behind the threat. However, researchers see no evidence that the paid payments have resulted in the recovery of data for the victims.
The malware also has capabilities to add targeted Linux-based systems in a botnet.
On the other hand, XBash targets Microsoft Windows machines only for cryptocurrency mining and self-propagation. For self-propagation, it exploits three known vulnerabilities in Hadoop, Redis, and ActiveMQ:
If the entry point is a vulnerable Redis service, Xbash will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows instead of its botnet and ransomware module.
As mentioned above, Xbash is developed in Python and then was converted to Portable Executable (PE) using PyInstaller, which can create binaries for multiple platforms, including Windows, Apple macOS, and Linux, and also provides anti-detection.
This, in turn, enables XBash to be truly cross-platform malware, though, at the time of writing, researchers found samples only for Linux and did not see any Windows or macOS versions of Xbash.
Users can protect themselves against XBash by following basic cybersecurity practices, including:
Dubbed XBash, the new malware, believed to be tied to the Iron Group, a.k.a. Rocke—the Chinese speaking APT threat actors group known for previous cyber attacks involving ransomware and cryptocurrency miners.
According to the researchers from security vendor Palo Alto Networks, who uncovered the malware, XBash is an all-in-one malware that features ransomware and cryptocurrency mining capabilities, as well as worm-like ability similar to WannaCry or Petya/NotPetya.
In addition to self-propagating capabilities, XBash also contains a functionality, which is not yet implemented, that could allow the malware to spread quickly within an organization's network.
Developed in Python, XBash hunts for vulnerable or unprotected web services and deletes databases such as MySQL, PostgreSQL, and MongoDB running on Linux servers, as part of its ransomware capabilities.
Important: Paying Ransom Will Get You Nothing!
Xbash has been designed to scan for services on a target IP, on both TCP and UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL.
Once find an open port, the malware uses a weak username and password dictionary attack to brute force itself into the vulnerable service, and once in, deletes all the databases and then displays the ransom note.
What's worrisome is that the malware itself does not contain any functionality that would allow the recovery of the deleted databases once a ransom amount has been paid by the victims.
To date, XBash has infected at least 48 victims, who have already paid the ransom, making about $6,000 to date for cybercriminals behind the threat. However, researchers see no evidence that the paid payments have resulted in the recovery of data for the victims.
The malware also has capabilities to add targeted Linux-based systems in a botnet.
XBash Malware Exploits Flaws in Hadoop, Redis, and ActiveMQ
On the other hand, XBash targets Microsoft Windows machines only for cryptocurrency mining and self-propagation. For self-propagation, it exploits three known vulnerabilities in Hadoop, Redis, and ActiveMQ:
- Hadoop YARN ResourceManager unauthenticated command execution bug disclosed in October 2016 and has no CVE number assigned.
- Redis arbitrary file writes, and remote command execution vulnerability disclosed in October 2015 with no CVE number assigned.
- ActiveMQ arbitrary file write vulnerability (CVE-2016-3088), disclosed in earlier 2016.
If the entry point is a vulnerable Redis service, Xbash will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows instead of its botnet and ransomware module.
As mentioned above, Xbash is developed in Python and then was converted to Portable Executable (PE) using PyInstaller, which can create binaries for multiple platforms, including Windows, Apple macOS, and Linux, and also provides anti-detection.
This, in turn, enables XBash to be truly cross-platform malware, though, at the time of writing, researchers found samples only for Linux and did not see any Windows or macOS versions of Xbash.
Users can protect themselves against XBash by following basic cybersecurity practices, including:
- change default login credentials on your systems,
- use strong and unique passwords,
- keep your operating system and software up-to-date,
- avoid downloading and running untrusted files or clicking links,
- take backup of their data regularly, and
- prevent unauthorized connection using a firewall.