Windows and UNIX users need to look out, as an all-in-one, damaging malware strain has been discovered in the wild that options multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting linux and Windows systems.
Dubbed XBash, the new malware, believed to be tied to the Iron group, a.k.a. Rocke—the Chinese speaking APT threat actors group known for previous cyber-attacks involving ransomware and cryptocurrency miners.
According to the researchers from security vendor Palo Alto Networks, who uncovered the malware, XBash is an all-in-one malware that options ransomware and cryptocurrency mining capabilities, further as worm-like ability almost like WannaCry or Petya/NotPetya.
In addition to self-propagating capabilities, XBash conjointly contains a functionality, that isn’t nevertheless enforced, that might enable the malware to unfold quickly at intervals an organization’s network.
Developed in Python, XBash hunts for vulnerable or unprotected internet services and deletes databases like MySQL, PostgreSQL, and MongoDB running on linux servers, as part of its ransomware capabilities.
Important: Paying Ransom Will Get You Nothing!
Xbash has been designed to scan for services on a target ip, on each tcp and UDP ports like HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle info, CouchDB, Rlogin and PostgreSQL.
Once notice an open port, the malware uses a weak username and password dictionary attack to brute force itself into the vulnerable service, and once in, deletes all the databases so displays the ransom note.
What’s worrisome is that the malware itself doesn’t contain any practicality that might enable the recovery of the deleted databases once a ransom quantity has been paid by the victims.
To date, XBash has infected a minimum of 48 victims, who have already paid the ransom, creating concerning $6,000 so far for cybercriminals behind the threat. However, researchers see no proof that the paid payments have resulted within the recovery of information for the victims.
The malware additionally has capabilities to feature targeted Linux-based systems in a very botnet.
XBash Malware Exploits Flaws in Hadoop, Redis, and ActiveMQ
On the other hand, XBash targets Microsoft Windows machines only for cryptocurrency mining and self-propagation. For self-propagation, it exploits three known vulnerabilities in Hadoop, Redis, and ActiveMQ:
- Hadoop YARN ResourceManager unauthenticated command execution bug disclosed in October 2016 and has no CVE number assigned.
- Redis arbitrary file writes, and remote command execution vulnerability disclosed in October 2015 with no CVE number assigned.
- ActiveMQ arbitrary file write vulnerability (CVE-2016-3088), disclosed in earlier 2016.
If the entry point is a vulnerable Redis service, Xbash will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows instead of its botnet and ransomware module.
As mentioned on top of, Xbash is developed in Python and then was reborn to portable executable (PE) using PyInstaller, which may produce binaries for multiple platforms, together with Windows, Apple macOS, and Linux, and conjointly provides anti-detection.
This, in turn, allows XBash to be really cross-platform malware, though, at the time of writing, researchers found samples just for UNIX and failed to see any Windows or macOS versions of Xbash.
Users will defend themselves against XBash by following basic cybersecurity practices, including:
- change default login credentials on your systems,
- use strong and unique passwords,
- keep your operating system and software up-to-date,
- avoid downloading and running untrusted files or clicking links,
- take backup of their data regularly, and
- Prevent unauthorized connection using a firewall.