New XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo

xbash.jpg

new malware strain has been discovered in the wild that combines features from four types of malware categories –ransomware, coinminers, botnets, and worms– to create a dangerous cocktail that has been wreaking havoc among Linux and Windows servers.

Named XBash, this new malware strain is the work of a well-known criminal group previously identified under the codenames of Iron [1, 2] and Rocke, and which has been extremely active in the past two years.

Iron has been tied to ransomware distribution campaigns, but also to a massive crypto-mining operation. Cisco Talos has called this group “the champion of Monero miners,” and has hinted the group may be based in China.

Until now, the Iron group has focused on one operation at a time, using specific malware for specific tasks. It deployed ransomware in 2017 and early 2018, and then switched to spreading a cryptocurrency miner (coinminer) in 2018.

Also: Critical infrastructure will have to operate if there’s malware on it or not

But Palo Alto Networks researchers say the group has now rolled out the new XBash malware strain that is a combination of all their previous tactics, rolling a botnet-like structure together with coinminer and ransomware functionality, all into one.

Furthermore, the group also appears to be working on a worm component that self-spreads inside isolated corporate networks.

Still, not all modules are active at the same time though. Palo Alto Networks says the botnet and ransomware features are only active when the malware infects Linux systems, while the coinminer only works on Windows servers.

The way XBash works is by using the botnet module as a base for all its nefarious activity. This module is basically an Internet-wide scanner that searches the Internet for unpatched web applications that are vulnerable to known exploits or which use default credentials.

XBash’s scanner module uses exploits to take over Hadoop, Redis or ActiveMQ servers, where it deploys a copy of its botnet and ransomware module –if they’re Linux systems.

It can also infect Windows systems, but only if the entry point is a vulnerable Redis server. The group uses a special code routine in this case, to deploy a coinminer instead of its standard botnet and ransomware module.

Also: Sly malware author hides cryptomining botnet behind ever-shifting proxy service

But the scanner module can do more than deliver exploits. Researchers say this module can also port scan the Internet for servers that run services that have been left online exposed without a password or are using weak credentials.

This second scanner module –part of XBash’s botnet functionality– will look for and attempt to brute-force its way into services such as web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

This provides attackers with a larger attack area and helps their botnet grow faster than similar threats.

Also: Windows and Linux Kodi users infected with cryptomining malware

But while only Windows systems can be directly monetized through coin-mining operations, Linux instances aren’t left for dead.

Palo Alto Networks researchers say that once XBash has a foothold on Linux servers, the malware scans for the presence of any locally-running database services.

Here is where its ransomware component comes into play. Palo Alto Networks says this XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and leave a ransom note behind.

The ransom note informs victims they’ll have to pay 0.02 Bitcoin ($125) to recover their databases. The ransom note claims the victim’s database has been backed up on the attacker’s server, but researchers say this is not true, as an analysis of XBash’s source code revealed the malware is only configured to wipe data and not back it up.

An analysis of a Bitcoin address found in some ransom notes reveals the group made 0.964 Bitcoin (~$6,000) by tricking victims into paying a ransom for databases they’ve actually deleted.

xbash-db-ransom.png

xbash-db-ransom.png

Ransom note left inside ransacked DBs by XBash malware

Palo Alto Networks

But besides the botnet, coinminer, and ransomware component, there’s also a worm component, responsible for spreading XBash to internal networks.

Palo Alto Networks says this component is present in the code, but not active in the malware per-se, appearing to be in an in-development phase.

According to their analysis, this module was meant only for deployment on Windows servers and consists of a “LanScan” function that generates a list of IP addresses for the same network subnet the infected host is situated on.

The worm component is supposed to probe the same long list of ports and services listed above, in an attempt to get access to other computers inside a company’s network.

Also: ‘Father of Zeus’ Kronos malware exploits Office bug to hijack your bank account

The reason, researchers explain, is that inside corporate networks or intranets, computers situated on the internal network (and not directly connected to the Internet) may have fewer security measures, or may be configured to use weaker passwords than the ones directly connected online.

For now, this feature is not active, but researchers expect to see it go live in future XBash versions.

All in all, XBash is very much a work in progress, and experts expect the Iron group to activate the coinminer component for Linux servers as well, as this would allow crooks to generate even more profits than they’re generating right now.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 62,062.00
ethereum
Ethereum (ETH) $ 3,767.24
binance-coin
Binance Coin (BNB) $ 478.37
tether
Tether (USDT) $ 1.00
cardano
Cardano (ADA) $ 2.13
xrp
XRP (XRP) $ 1.09
solana
Solana (SOL) $ 157.33
polkadot
Polkadot (DOT) $ 41.14
dogecoin
Dogecoin (DOGE) $ 0.252824
usd-coin
USD Coin (USDC) $ 1.00
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 62,062.00
ethereumEthereum (ETH)
$ 3,767.24
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 608.30
litecoinLitecoin (LTC)
$ 183.26
bitcoinBitcoin (BTC)
53.505,82
ethereumEthereum (ETH)
3.247,87
tetherTether (USDT)
0,862135
bitcoin-cashBitcoin Cash (BCH)
524,44
litecoinLitecoin (LTC)
157,99
bitcoinBitcoin (BTC)
45,152.40
ethereumEthereum (ETH)
2,740.81
tetherTether (USDT)
0.727537
bitcoin-cashBitcoin Cash (BCH)
442.56
litecoinLitecoin (LTC)
133.33

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021

Blockchain/Cryptocurrency Questions and Answers

ICo Presale
The Science Behind ICO Presales…
October 14, 2021
Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin62,257 0.00 % 2.24 % 13.79 %
Ethereum3,778.4 0.68 % 0.64 % 10.12 %
Binance Coin480.78 0.02 % 3.18 % 18.91 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Cardano2.140 0.04 % 0.89 % 2.63 %
XRP1.090 0.29 % 2.47 % 3.91 %
Solana157.50 0.29 % 2.31 % 6.64 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2562 0.68 % 8.28 % 11.75 %
USD Coin1.000 0.14 % 0.20 % 0.17 %

bitcoin
Bitcoin (BTC) $ 62,062.00
ethereum
Ethereum (ETH) $ 3,767.24
binance-coin
Binance Coin (BNB) $ 478.37
tether
Tether (USDT) $ 1.00
cardano
Cardano (ADA) $ 2.13
xrp
XRP (XRP) $ 1.09
solana
Solana (SOL) $ 157.33
polkadot
Polkadot (DOT) $ 41.14
dogecoin
Dogecoin (DOGE) $ 0.252824
usd-coin
USD Coin (USDC) $ 1.00