Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

9/21/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Xbash Malware: Dangerous Mix of Threats

The Xbash malware includes ransomware and cryptomining functions as well as botnet and self-propagation capabilities and will delete Linux databases.

Malware developers are increasingly putting multiple functions into their software to expand the reach of their capabilities and to possibly cover their tracks to hide the real intent of their campaigns. A new malware tool called Xbash is a particularly toxic mix of features that range from mining cryptocurrencies and ransomware to self-propagation and botnet capabilities, and will target and delete databases in Linux systems.

The Xbash malware is the work of the prolific cybercriminal organization Iron Group and targets both Linux- and Windows-based systems, according to researchers at Palo Alto Networks' Unit 42. The malware attacks Linux systems with its ransomware and botnet capabilities and Windows systems for coinmining and self-propagation, they wrote in a blog post.

The ransomware function targets and then deletes the Linux-based databases, meaning that even if the ransom is paid, there's no apparent way to get the data returned, the researchers wrote.

"To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins, meaning 48 victims have paid about US $6,000 total," the Unit 42 researchers wrote. "However, [we] see no evidence that the paid ransoms have resulted in recovery for the victims. In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment. … This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware."

The self-propagation function gives Xbash worm-like capabilities to spread once inside the system, similar to the WannaCry and Petya/NotPetya ransomware. It also has the capabilities -- which have yet to be implemented -- to spread quickly through an organization's network, they said. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The malware attacks systems through weak passwords and unpatched vulnerabilities.

Xbash appears to be an evolutionary step for Iron Group, which previously had created and spread malware for cryptocurrency mining or cryptocurrency transaction hijacking primarily aimed at Microsoft Windows, though some targeted Linux system as well. In Xbash, the group has developed malware that looks for unprotected services and deletes the system's MySQL, PostgreSQL and MongoDB databases, and then ransoms the data for Bitcoin. In Windows systems, it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ to infect the systems or self-propagate.

The malware was developed in the Python programming language and then converted into self-contained Linux ELF executables through the PyInstaller tool for distribution. It targets IP addresses and domains, which is different from such known malware as Mirai or Gafgvt, which generate random IP addresses as scanning destinations, the researchers said.

When it exploits vulnerable Redis services, Xbash will determine whether the service is running on Windows and, if so, will send a malicious JavaScript or VMScript code to download and run a coinminer function. In addition, the "Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet," they wrote. "We see this functionality in the samples but, interestingly, it has not yet been enabled."

Xbash represents a particular challenge to IT security professionals, according to Neelima Rustagi, senior director of product management at security automation and orchestration vendor Demisto.

"Since it displays different targeted malicious behavior depending on the system (Windows, Linux) and has intranet scanning capabilities, a single vulnerable system can spiral into a full-scale organizational attack," Rustagi told Security Now in an email. "Xbash attacks a critical gap in security products today, which is the lack of centralized data visibility of the product stack. If five threat intelligence platforms offer overlapping (but partially unique) data, security teams will need to coordinate among all five to keep malware like Xbash in check."

Unit 42 has found four different versions of Xbash, which they said appears to still be under development. The botnet began operating as early as May.

The use of multiple functions in malware isn't new, but the presence of so many capabilities in Xbash is unusual. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

"The Xbash malware is a unique combination," Timur Kovalev, CTO at Untangle, a network security firm for SMBs, told Security Now in an email. "We will see the use of multi-function malware continue to rise. Hackers are always looking for new ways to gain access to devices and networks, so utilizing multi-function malware provides them broader opportunities than relying on a single malware strain."

Rick Moy, chief marketing officer at cybersecurity solution provider Acalvio, told Security Now that not only does such multi-function malware give attackers more options, it "could also be used deceptively to divert attention from the attackers' intended purpose. We can expect a rise in such multi-functional malware, which will increase the speed and breadth of the attack."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
CVE-2020-15277
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
CVE-2020-7373
PUBLISHED: 2020-10-30
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is ...