Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

9/21/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Xbash Malware: Dangerous Mix of Threats

The Xbash malware includes ransomware and cryptomining functions as well as botnet and self-propagation capabilities and will delete Linux databases.

Malware developers are increasingly putting multiple functions into their software to expand the reach of their capabilities and to possibly cover their tracks to hide the real intent of their campaigns. A new malware tool called Xbash is a particularly toxic mix of features that range from mining cryptocurrencies and ransomware to self-propagation and botnet capabilities, and will target and delete databases in Linux systems.

The Xbash malware is the work of the prolific cybercriminal organization Iron Group and targets both Linux- and Windows-based systems, according to researchers at Palo Alto Networks' Unit 42. The malware attacks Linux systems with its ransomware and botnet capabilities and Windows systems for coinmining and self-propagation, they wrote in a blog post.

The ransomware function targets and then deletes the Linux-based databases, meaning that even if the ransom is paid, there's no apparent way to get the data returned, the researchers wrote.

(Source: iStock)
(Source: iStock)

"To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins, meaning 48 victims have paid about US $6,000 total," the Unit 42 researchers wrote. "However, [we] see no evidence that the paid ransoms have resulted in recovery for the victims. In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment. … This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware."

The self-propagation function gives Xbash worm-like capabilities to spread once inside the system, similar to the WannaCry and Petya/NotPetya ransomware. It also has the capabilities -- which have yet to be implemented -- to spread quickly through an organization's network, they said. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The malware attacks systems through weak passwords and unpatched vulnerabilities.

Xbash appears to be an evolutionary step for Iron Group, which previously had created and spread malware for cryptocurrency mining or cryptocurrency transaction hijacking primarily aimed at Microsoft Windows, though some targeted Linux system as well. In Xbash, the group has developed malware that looks for unprotected services and deletes the system's MySQL, PostgreSQL and MongoDB databases, and then ransoms the data for Bitcoin. In Windows systems, it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ to infect the systems or self-propagate.

The malware was developed in the Python programming language and then converted into self-contained Linux ELF executables through the PyInstaller tool for distribution. It targets IP addresses and domains, which is different from such known malware as Mirai or Gafgvt, which generate random IP addresses as scanning destinations, the researchers said.

When it exploits vulnerable Redis services, Xbash will determine whether the service is running on Windows and, if so, will send a malicious JavaScript or VMScript code to download and run a coinminer function. In addition, the "Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet," they wrote. "We see this functionality in the samples but, interestingly, it has not yet been enabled."

Xbash represents a particular challenge to IT security professionals, according to Neelima Rustagi, senior director of product management at security automation and orchestration vendor Demisto.

"Since it displays different targeted malicious behavior depending on the system (Windows, Linux) and has intranet scanning capabilities, a single vulnerable system can spiral into a full-scale organizational attack," Rustagi told Security Now in an email. "Xbash attacks a critical gap in security products today, which is the lack of centralized data visibility of the product stack. If five threat intelligence platforms offer overlapping (but partially unique) data, security teams will need to coordinate among all five to keep malware like Xbash in check."

Unit 42 has found four different versions of Xbash, which they said appears to still be under development. The botnet began operating as early as May.

The use of multiple functions in malware isn't new, but the presence of so many capabilities in Xbash is unusual. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

"The Xbash malware is a unique combination," Timur Kovalev, CTO at Untangle, a network security firm for SMBs, told Security Now in an email. "We will see the use of multi-function malware continue to rise. Hackers are always looking for new ways to gain access to devices and networks, so utilizing multi-function malware provides them broader opportunities than relying on a single malware strain."

Rick Moy, chief marketing officer at cybersecurity solution provider Acalvio, told Security Now that not only does such multi-function malware give attackers more options, it "could also be used deceptively to divert attention from the attackers' intended purpose. We can expect a rise in such multi-functional malware, which will increase the speed and breadth of the attack."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.