How does a self-spreading malware with cryptomining and ransomware capabilities sound to you? Entirely hypothetical? Not at all. This new malware strain exists and is a real threat not only to Windows servers but also to Linux. It is dubbed Xbash.
More specifically, the new malware strain combines characteristics of four malware categories – ransomware, botnet, worm, and crypto miners. According to researchers from Palo Alto Networks’ Unit 42, Xbash’s ransomware and botnet capabilities are aimed at Linux systems where the new monstrous malware is instructed to delete databases. As for Windows, Xbash is used for cryptomining purposes and self-propagation, leveraging known security vulnerabilities in Hadoop, Redis, and ActiveMQ services.
Who Is Behind the New Xbash Malware?
Apparently, this latest malware strain is authored by a well-known criminal collective known as Iron and Rocke. The group has been quite active during the past couple of years.
These cybercriminals have been known for carrying out massive ransomware and cryptomining campaigns. Cisco Talos researchers even named the hacking collective “the champion of Monero miners”. There are clues that suggest the group is based in China, but this hasn’t been confirmed. The group was detected delivering ransomware in 2017 and 2018, and later – cryptocurrency miners.
Now, the Iron group has a new malware strain in their hands which combines all previously deployed malicious scenarios. The result is a monstrous piece of malware with botnet-like structure and ransomware and cryptomining capabilities. On top of that, the group is currently working on a worm-like feature for self-propagation, researchers say.
Technical Overview of XBash Malware
According to Palo Alto’s technical analysis, the malware is developed in Python and was later converted into self-contained Linux ELF executables by leveraging the legitimate tool called PyInstaller for delivery purposes.
XBash is also targeting IP addresses and domain names. “Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting,” the researchers noted.
As already mentioned, the new malware strain is targeting both Windows and Linux. When targeting Redis, Xbash will first confirm whether the service is running on Windows. If this is confirmed, it will then send malicious JavaScript or VBScript payload for the purpose of downloading and executing a cryptominer for Windows.
Another technical feature worth noting is Xbash’s intranet scanning capability where vulnerable servers with enterprise intranet are targeted. It should be noted that this feature hasn’t been enabled yet and is only seen in samples.
Palo Alto researchers have discovered four different versions of the Xbash malware so far.
Code and timestamp differences among these versions hint that the monstrous malware is still undergoing active development. The botnet operations started around May this year. The researchers have monitored 48 incoming transactions to the Bitcoin wallet addresses used by Xbash authors. This may mean that there 48 victims of the ransomware behavior particularly.