Xbash Malware: Dangerous Mix of Threats

Malware developers are increasingly putting multiple functions into their software to expand the reach of their capabilities and to possibly cover their tracks to hide the real intent of their campaigns. A new malware tool called Xbash is a particularly toxic mix of features that range from mining cryptocurrencies and ransomware to self-propagation and botnet capabilities, and will target and delete databases in Linux systems.

The Xbash malware is the work of the prolific cybercriminal organization Iron Group and targets both Linux- and Windows-based systems, according to researchers at Palo Alto Networks' Unit 42. The malware attacks Linux systems with its ransomware and botnet capabilities and Windows systems for coinmining and self-propagation, they wrote in a blog post.

The ransomware function targets and then deletes the Linux-based databases, meaning that even if the ransom is paid, there's no apparent way to get the data returned, the researchers wrote.

(Source: iStock)

"To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins, meaning 48 victims have paid about US $6,000 total," the Unit 42 researchers wrote. "However, [we] see no evidence that the paid ransoms have resulted in recovery for the victims. In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment. … This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware."

The self-propagation function gives Xbash worm-like capabilities to spread once inside the system, similar to the WannaCry and Petya/NotPetya ransomware. It also has the capabilities -- which have yet to be implemented -- to spread quickly through an organization's network, they said. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The malware attacks systems through weak passwords and unpatched vulnerabilities.

Xbash appears to be an evolutionary step for Iron Group, which previously had created and spread malware for cryptocurrency mining or cryptocurrency transaction hijacking primarily aimed at Microsoft Windows, though some targeted Linux system as well. In Xbash, the group has developed malware that looks for unprotected services and deletes the system's MySQL, PostgreSQL and MongoDB databases, and then ransoms the data for Bitcoin. In Windows systems, it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ to infect the systems or self-propagate.

The malware was developed in the Python programming language and then converted into self-contained Linux ELF executables through the PyInstaller tool for distribution. It targets IP addresses and domains, which is different from such known malware as Mirai or Gafgvt, which generate random IP addresses as scanning destinations, the researchers said.

When it exploits vulnerable Redis services, Xbash will determine whether the service is running on Windows and, if so, will send a malicious JavaScript or VMScript code to download and run a coinminer function. In addition, the "Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet," they wrote. "We see this functionality in the samples but, interestingly, it has not yet been enabled."

Xbash represents a particular challenge to IT security professionals, according to Neelima Rustagi, senior director of product management at security automation and orchestration vendor Demisto.

"Since it displays different targeted malicious behavior depending on the system (Windows, Linux) and has intranet scanning capabilities, a single vulnerable system can spiral into a full-scale organizational attack," Rustagi told Security Now in an email. "Xbash attacks a critical gap in security products today, which is the lack of centralized data visibility of the product stack. If five threat intelligence platforms offer overlapping (but partially unique) data, security teams will need to coordinate among all five to keep malware like Xbash in check."

Unit 42 has found four different versions of Xbash, which they said appears to still be under development. The botnet began operating as early as May.

The use of multiple functions in malware isn't new, but the presence of so many capabilities in Xbash is unusual. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

"The Xbash malware is a unique combination," Timur Kovalev, CTO at Untangle, a network security firm for SMBs, told Security Now in an email. "We will see the use of multi-function malware continue to rise. Hackers are always looking for new ways to gain access to devices and networks, so utilizing multi-function malware provides them broader opportunities than relying on a single malware strain."

Rick Moy, chief marketing officer at cybersecurity solution provider Acalvio, told Security Now that not only does such multi-function malware give attackers more options, it "could also be used deceptively to divert attention from the attackers' intended purpose. We can expect a rise in such multi-functional malware, which will increase the speed and breadth of the attack."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.