Xbash is an “all in one” malware.
Palo Alto Networks’ Unit 42 researchers have come to the conclusion that the notorious Xbash malware that has been attacking Linux and Windows servers is being operated by the Iron Group which is an infamous hacker collective previously involved in a number of cyber crimes involving the use of ransomware and cryptominers.
Moreover, the APT threat actors from the Iron Group have been operating crypto transaction hijacking Trojans in the past. This time, they are using Xbash, a self-propagating malware mash-up that is equipped with multiple features. It can serve as ransomware, a botnet, worm, disk wiper and crypto-miner simultaneously.
Unit 42 division researchers Claud Xiao, Cong Zheng, and Xingyu Jin wrote in their blog post that it isn’t out of the ordinary to find multi-functional malware but they do admit that Xbash is somewhat too clever and unique. They write that the malware, if implemented fully, can spread across the entire network of an organization instantaneously.
They also explained that Xbash is utilizing its ransomware and botnet capabilities for targeting Linux servers, and using crypto-miner and self-propagating functionalities against Windows servers. Basically, the malware is designed to target and delete databases stored on Linux servers and the lost data cannot be recovered by the victims even if they pay the ransom because the malware lacks the capability of decrypting the data. It starts the attack by identifying unpatched vulnerabilities, and devices having weak passwords, which are identified by scanning protocols and ports such as:
“HTTP, VNC, MySQL, Memcached, MariaDB, FTP, Telnet, PostgreSQL, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogic, Rsh, Rsync, Oracle database, CouchDB and phpMyAdmin.”
But it doesn’t search for weaknesses from randomly received IP addresses but fetches targeted IP addresses provided by its C&C server and also targets domains of public websites. It can even scan for vulnerable servers associated with the intranet of an enterprise. This isn’t the way Linux based malware typically function.
The way Xbash behaves largely depends upon the infected platform and the services that it runs. However, researchers have warned that once the malware manages to log-in successfully into a Linux server, it deletes all of the existing databases and creates new ones titled ‘PLEASE_READ_ME_XYZ.’
Moreover, it leaves a ransom note into the newly created databases’ WARNING table. Readers are instructed to deposit 0.02 bitcoin to the address mentioned by the attacker to recover the lost data otherwise the contents will be leaked on the internet. But this is a false promise because the data simply cannot be recovered by the malware.
As noted by the researchers:
“We see no evidence that the attackers are actually making good on their promise and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.”
The motivation behind this campaign is yet unclear but researchers mentioned that attackers are only looking for money. So far, at least 48 users have fallen prey to their tactics and have paid 0.964 bitcoins or $6,000 in total to attackers as of Sept. 17.