Story image

Pseudo-ransomware Xbash targeting Linux and Windows discovered

18 Sep 18

Article by researchers Claud Xiao, Cong Zheng and Xingyu Jin 

Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers.

We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.

Xbash has ransomware and coinmining capabilities.

It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).

It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organisations’ network (again, much like WannaCry or Petya/NotPetya).

Xbash spreads by attacking weak passwords and unpatched vulnerabilities.

Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities.

We can also find no functionality within Xbash that would enable restoration after the ransom is paid.

This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.

Organisations can protect themselves against Xbash by:

  1. Using strong, non-default passwords
  2. Keeping up-to-date on security updates
  3. Implementing endpoint security on Microsoft Windows and Linux systems
  4. Preventing access to unknown hosts on the internet (to prevent access to command and control servers)
  5. Implementing and maintaining rigorous and effective backup and restoration processes and procedures.

Below are some more specifics on Xbash’s capabilities:

  • It combines botnet, coinmining, ransomware and self-propagation
  • It targets Linux-based systems for its ransomware and botnet capabilities
  • It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities
  • The ransomware component targets and deletes Linux-based databases
  • To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US$6,000 total (at the time of publication)
  • However, as see no evidence that the paid ransoms have resulted in recovery for the victims
  • In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.
  • Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.

Research

Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers.

After further investigation, we realised it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year.

We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux.

Instead, Xbash is aimed at discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins.

Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.

Other new technical characteristics in Xbash that are worth noting:

  • Developed in Python: Xbash was developed using Python and was then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
     
  • Targets IP addresses and domain names: Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting.
     
  • Targets Windows and Linux: When exploiting vulnerable Redis services, Xbash will also figure out whether the service is running on Windows or not. If so, it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.
     
  • Intranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet. We see this functionality in the samples but, interestingly, it has not yet been enabled.

We have discovered four different versions of Xbash so far.

Code and timestamp differences among these versions show that it’s still under active development.

The botnet began to operate as early as May 2018.

Thus far, we’ve observed 48 incoming transactions to the Bitcoin wallet addresses used by the malware, which may indicate 48 victims of its ransom behaviour.

A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.