- Xbash targets Microsoft Windows and Linux servers.
- It has crypto-mining and ransomware capabilities.
- Initially written in Python, the malware is still under development.
Within a year, detection of crypto-mining malware has increased 459%, reported by Cyber Threat Alliance, citing data gathered by multiple companies. As long as cryptocurrencies hold value among attackers, illegal mining activity will likely continue to grow in the future.
Criminals are now extending their ways of making profits beyond illegally mining cryptocurrency to ransoming or hijacking cryptocurrency. They are expanding territory by attacking organization Intranet, scanning domain names, and by collecting more vulnerabilities from wherever possible.
Recently, Palo Alto Networks discovered a new malware family, which they have named Xbash. It targets Windows and Linux servers, and generally spreads by attacking unpatched vulnerabilities and weak passwords.
Xbash has crypto-mining and ransomware capabilities. Like WannaCry, it can self-propagate and spread rapidly (on execution) over an enterprise network. It destroys databases running on Linux and there is no guarantee that data will be restored after the ransom (money to unblock or decrypt data) is paid.
Overall, the malware combines crypto-mining, self-propagation, botnet, and ransomware. It targets Windows-based systems for its crypto-mining and self-propagation capabilities, and Linux-based systems for its botnet and ransomware capabilities.
So far, Xbash has affected 48 users who have paid a sum of $6000 in bitcoins to attackers. However, none of them recovered their data. In fact, no evidence of functionalities that make recovery possible after ransom payment has been detected.
Palo Alto Networks speculate that this is likely developed by the Iron Group, who is also linked to other ransomware attacks, including remote control system-based ransomware.
Technical Characteristics of Xbash
Xbash seeks for unprotected services, erasing victim’s MongoDB, PostgreSQL, MySQL databases, and ransom for bitcoins. For infecting Windows programs and self-propagation, it utilizes 3 known vulnerabilities in Hadoop, ActiveMQ, and Redis.
The malware was initially written in Python and then transformed into Linux ELF executables through PyInstaller tool. It fetches domain names and IP addresses for service exploiting from its C2 servers.
Source: Research Center/Palo Alto Networks
Xbash attempts to brute force services like Rsync | Courtesy: Palo Alto Networks
Palo Alto Networks has found 4 versions of Xbash till date. The botnet is operating since May 2018. Timestamp and code differences among these versions suggest that the malware is still being developed.
How You Can Protect Your System?
The company has already released ELF and PE format signatures through Antivirus to protect their customers from Xbash. They have also created a tag named AutoFocus that keeps track of this attack.
However, to be on a safer side, you can take some actions yourself. First of all, don’t use default passwords and keep installing security updates, implement endpoint security, don’t give access to unknown URLs, and as always maintain rigorous and effective backups.