Story image

Pseudo-ransomware Xbash targeting Linux and Windows discovered

18 Sep 18

Article by researchers Claud Xiao, Cong Zheng and Xingyu Jin 

Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers.

We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.

Xbash has ransomware and coinmining capabilities.

It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).

It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organisations’ network (again, much like WannaCry or Petya/NotPetya).

Xbash spreads by attacking weak passwords and unpatched vulnerabilities.

Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities.

We can also find no functionality within Xbash that would enable restoration after the ransom is paid.

This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.

Organisations can protect themselves against Xbash by:

  1. Using strong, non-default passwords
  2. Keeping up-to-date on security updates
  3. Implementing endpoint security on Microsoft Windows and Linux systems
  4. Preventing access to unknown hosts on the internet (to prevent access to command and control servers)
  5. Implementing and maintaining rigorous and effective backup and restoration processes and procedures.

Below are some more specifics on Xbash’s capabilities:

  • It combines botnet, coinmining, ransomware and self-propagation
  • It targets Linux-based systems for its ransomware and botnet capabilities
  • It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities
  • The ransomware component targets and deletes Linux-based databases
  • To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US$6,000 total (at the time of publication)
  • However, as see no evidence that the paid ransoms have resulted in recovery for the victims
  • In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.
  • Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.


Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers.

After further investigation, we realised it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year.

We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux.

Instead, Xbash is aimed at discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins.

Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.

Other new technical characteristics in Xbash that are worth noting:

  • Developed in Python: Xbash was developed using Python and was then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
  • Targets IP addresses and domain names: Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting.
  • Targets Windows and Linux: When exploiting vulnerable Redis services, Xbash will also figure out whether the service is running on Windows or not. If so, it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.
  • Intranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet. We see this functionality in the samples but, interestingly, it has not yet been enabled.

We have discovered four different versions of Xbash so far.

Code and timestamp differences among these versions show that it’s still under active development.

The botnet began to operate as early as May 2018.

Thus far, we’ve observed 48 incoming transactions to the Bitcoin wallet addresses used by the malware, which may indicate 48 victims of its ransom behaviour.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.