Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

9/21/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Xbash Malware: Dangerous Mix of Threats

The Xbash malware includes ransomware and cryptomining functions as well as botnet and self-propagation capabilities and will delete Linux databases.

Malware developers are increasingly putting multiple functions into their software to expand the reach of their capabilities and to possibly cover their tracks to hide the real intent of their campaigns. A new malware tool called Xbash is a particularly toxic mix of features that range from mining cryptocurrencies and ransomware to self-propagation and botnet capabilities, and will target and delete databases in Linux systems.

The Xbash malware is the work of the prolific cybercriminal organization Iron Group and targets both Linux- and Windows-based systems, according to researchers at Palo Alto Networks' Unit 42. The malware attacks Linux systems with its ransomware and botnet capabilities and Windows systems for coinmining and self-propagation, they wrote in a blog post.

The ransomware function targets and then deletes the Linux-based databases, meaning that even if the ransom is paid, there's no apparent way to get the data returned, the researchers wrote.

"To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins, meaning 48 victims have paid about US $6,000 total," the Unit 42 researchers wrote. "However, [we] see no evidence that the paid ransoms have resulted in recovery for the victims. In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment. … This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware."

The self-propagation function gives Xbash worm-like capabilities to spread once inside the system, similar to the WannaCry and Petya/NotPetya ransomware. It also has the capabilities -- which have yet to be implemented -- to spread quickly through an organization's network, they said. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The malware attacks systems through weak passwords and unpatched vulnerabilities.

Xbash appears to be an evolutionary step for Iron Group, which previously had created and spread malware for cryptocurrency mining or cryptocurrency transaction hijacking primarily aimed at Microsoft Windows, though some targeted Linux system as well. In Xbash, the group has developed malware that looks for unprotected services and deletes the system's MySQL, PostgreSQL and MongoDB databases, and then ransoms the data for Bitcoin. In Windows systems, it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ to infect the systems or self-propagate.

The malware was developed in the Python programming language and then converted into self-contained Linux ELF executables through the PyInstaller tool for distribution. It targets IP addresses and domains, which is different from such known malware as Mirai or Gafgvt, which generate random IP addresses as scanning destinations, the researchers said.

When it exploits vulnerable Redis services, Xbash will determine whether the service is running on Windows and, if so, will send a malicious JavaScript or VMScript code to download and run a coinminer function. In addition, the "Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet," they wrote. "We see this functionality in the samples but, interestingly, it has not yet been enabled."

Xbash represents a particular challenge to IT security professionals, according to Neelima Rustagi, senior director of product management at security automation and orchestration vendor Demisto.

"Since it displays different targeted malicious behavior depending on the system (Windows, Linux) and has intranet scanning capabilities, a single vulnerable system can spiral into a full-scale organizational attack," Rustagi told Security Now in an email. "Xbash attacks a critical gap in security products today, which is the lack of centralized data visibility of the product stack. If five threat intelligence platforms offer overlapping (but partially unique) data, security teams will need to coordinate among all five to keep malware like Xbash in check."

Unit 42 has found four different versions of Xbash, which they said appears to still be under development. The botnet began operating as early as May.

The use of multiple functions in malware isn't new, but the presence of so many capabilities in Xbash is unusual. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

"The Xbash malware is a unique combination," Timur Kovalev, CTO at Untangle, a network security firm for SMBs, told Security Now in an email. "We will see the use of multi-function malware continue to rise. Hackers are always looking for new ways to gain access to devices and networks, so utilizing multi-function malware provides them broader opportunities than relying on a single malware strain."

Rick Moy, chief marketing officer at cybersecurity solution provider Acalvio, told Security Now that not only does such multi-function malware give attackers more options, it "could also be used deceptively to divert attention from the attackers' intended purpose. We can expect a rise in such multi-functional malware, which will increase the speed and breadth of the attack."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting