Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/17/2018
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Xbash Malware a Cocktail of Malicious Functions

The new malware tool targeting Windows and Linux systems combines cryptomining, ransomware, botnet, and self-propagation capabilities.

Adding to the rapidly growing list of multi-functional malware, a particularly nasty – and unique — data-destroying malware tool has been discovered that combines botnet, coin mining, ransomware, and self-propagation capabilities.

The malware, which researchers at Palo Alto Network's Unit 42 group has named Xbash, is targeting Linux and Windows servers and contains capabilities that when fully implemented can help it spread very quickly inside an organization's network.

Researchers from Palo Alto Network say their analysis shows the malware is being used to target Linux servers for their ransomware and botnet capabilities, and Windows servers for coin mining and self-propagation purposes.

Xbash's ransomware capabilities are designed to target and delete Linux-based databases. Worse, the malware appears to contain no functionality at all for helping victims recover lost data in the event they end up paying the demanded ransom.

So far, at least 48 victims have paid a total of $6,000 to the attackers, but there is no evidence that any of them were able to recover data that Xbash might have deleted, Palo Alto Networks said in an advisory Monday.

"Taken as a whole, we've not [before] seen this combination of ransomware, coinmining, worm capabilities, and targeting both Linux and Windows systems," says Ryan Olson, vice president of threat intelligence at Unit 42.

The malware appears to be the work of Iron Group, a threat actor associated with previous ransomware attacks and for spreading cryptocurrency mining tools mostly in Windows environments. With Xbash, the group appears to have broadened their targets to include Linux systems as well.

Unlike other recent Linux malware such as Gafgyt and Mirai, which scan for vulnerable devices using randomly generated IP addresses, Xbash scans for them also by domain name. The capability makes it harder for defenders to spot Xbash using honeypots, which are typically deployed with IP addresses only.

"Xbash uses a list of IP addresses and domains provided by its C2 to scan for specific open ports, weak credentials, or three known vulnerabilities in Hadoop, Redis and ActiveMQ — which it uses for self-propagation," Olson notes.

Two of the three vulnerabilities have no formal CVE number assigned to them. One of them is an unauthenticated command execution flaw in Hadoop YARN that was first disclosed in October 2016; the Redis flaw is from October 2015 and gives attackers a way to remotely execute files of their choice on a target machine. The third-flaw — n Active MQ — enables arbitrary file writes and has an assigned CVE number (CVE-2016-3088).

When it is exploiting a vulnerable Redis instance, Xbash is capable of determining whether it is running on a Windows system so the malware can then download and execute a coinminer it.

If the target that Xbash is scanning happens to be an IP address, it tries to scan multiple UDP and TCP ports. Among them are ports used by HTTP services, VMC, MySQL, Telnet, FTP, NTP, DNS and LDAP. If certain ports happen to be open—such as those used by VNC, MySQL and PostgreSQL—the malware uses a weak username and password dictionary—to brute force its way into the service.

 "Xbash uses weak passwords in its attacks against both Windows systems and Linux services," Olson says. "It uses both a built-in dictionary and also updates from its C2 server with an additional set of weak passwords."

When Xbash breaks into a service such as MySQL or MongoDB, it immediately deletes almost all the databases on the server and serves up a ransom message. "Because the malware deletes the databases based on brute forcing weak credentials for specific services, it could also happen on Windows with the same open ports/services and weak credentials," Olson warns.

Shades of WannaCry, NotPetya

The samples of Xbash that researchers at Palo Alto Networks analyzed show that the authors of Xbash are developing a new capability that will let the malware scan infected networks for other vulnerable servers. The capability has not yet been enabled, but if it is, Xbash will be able to spread quickly within an infected network like the WannaCray and Petya/NotPetya ransomware did.

For organizations, multi-functional and highly modular malware tools are quickly becoming a new threat. In recent weeks, several security vendors have issued warnings about malware tools capable of carrying out multiple malicious functions or of being modified after installation to do different things.

Proofpoint, for instance, recently warned about AdvisorsBot and Marap, two modular tools that allow criminals to add new functions to malware that has already been installed on a system. In an August advisory, Kaspersky Lab said it had observed a near doubling of multipurpose Remote Access Tools being distributed via botnets over the past 18 months or so, from 6.5% to 12.2%.

The trend highlights the need for a more high-level approach to defending against threats. "Organizations and defenders are better off focusing on prevention than specific threats," Olson notes. "A threat-based approach against Xbash would require multiple threats against multiple vectors, which is not scalable and is inherently advantageous to the attackers."

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...