Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

9/21/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Xbash Malware: Dangerous Mix of Threats

The Xbash malware includes ransomware and cryptomining functions as well as botnet and self-propagation capabilities and will delete Linux databases.

Malware developers are increasingly putting multiple functions into their software to expand the reach of their capabilities and to possibly cover their tracks to hide the real intent of their campaigns. A new malware tool called Xbash is a particularly toxic mix of features that range from mining cryptocurrencies and ransomware to self-propagation and botnet capabilities, and will target and delete databases in Linux systems.

The Xbash malware is the work of the prolific cybercriminal organization Iron Group and targets both Linux- and Windows-based systems, according to researchers at Palo Alto Networks' Unit 42. The malware attacks Linux systems with its ransomware and botnet capabilities and Windows systems for coinmining and self-propagation, they wrote in a blog post.

The ransomware function targets and then deletes the Linux-based databases, meaning that even if the ransom is paid, there's no apparent way to get the data returned, the researchers wrote.

"To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins, meaning 48 victims have paid about US $6,000 total," the Unit 42 researchers wrote. "However, [we] see no evidence that the paid ransoms have resulted in recovery for the victims. In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment. … This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware."

The self-propagation function gives Xbash worm-like capabilities to spread once inside the system, similar to the WannaCry and Petya/NotPetya ransomware. It also has the capabilities -- which have yet to be implemented -- to spread quickly through an organization's network, they said. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The malware attacks systems through weak passwords and unpatched vulnerabilities.

Xbash appears to be an evolutionary step for Iron Group, which previously had created and spread malware for cryptocurrency mining or cryptocurrency transaction hijacking primarily aimed at Microsoft Windows, though some targeted Linux system as well. In Xbash, the group has developed malware that looks for unprotected services and deletes the system's MySQL, PostgreSQL and MongoDB databases, and then ransoms the data for Bitcoin. In Windows systems, it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ to infect the systems or self-propagate.

The malware was developed in the Python programming language and then converted into self-contained Linux ELF executables through the PyInstaller tool for distribution. It targets IP addresses and domains, which is different from such known malware as Mirai or Gafgvt, which generate random IP addresses as scanning destinations, the researchers said.

When it exploits vulnerable Redis services, Xbash will determine whether the service is running on Windows and, if so, will send a malicious JavaScript or VMScript code to download and run a coinminer function. In addition, the "Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet," they wrote. "We see this functionality in the samples but, interestingly, it has not yet been enabled."

Xbash represents a particular challenge to IT security professionals, according to Neelima Rustagi, senior director of product management at security automation and orchestration vendor Demisto.

"Since it displays different targeted malicious behavior depending on the system (Windows, Linux) and has intranet scanning capabilities, a single vulnerable system can spiral into a full-scale organizational attack," Rustagi told Security Now in an email. "Xbash attacks a critical gap in security products today, which is the lack of centralized data visibility of the product stack. If five threat intelligence platforms offer overlapping (but partially unique) data, security teams will need to coordinate among all five to keep malware like Xbash in check."

Unit 42 has found four different versions of Xbash, which they said appears to still be under development. The botnet began operating as early as May.

The use of multiple functions in malware isn't new, but the presence of so many capabilities in Xbash is unusual. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

"The Xbash malware is a unique combination," Timur Kovalev, CTO at Untangle, a network security firm for SMBs, told Security Now in an email. "We will see the use of multi-function malware continue to rise. Hackers are always looking for new ways to gain access to devices and networks, so utilizing multi-function malware provides them broader opportunities than relying on a single malware strain."

Rick Moy, chief marketing officer at cybersecurity solution provider Acalvio, told Security Now that not only does such multi-function malware give attackers more options, it "could also be used deceptively to divert attention from the attackers' intended purpose. We can expect a rise in such multi-functional malware, which will increase the speed and breadth of the attack."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.