Security

Unit 42 Researchers Discover Xbash – Malware Which Destroys Linux and Windows Based Databases

A new malware known as ‘Xbash’ has been discovered by Unit 42 researchers, a blog post at Palo Alto Networks has reported. This malware is unique in its targeting power and affects Microsoft Windows and Linux servers simultaneously. Researchers at Unit 42 have tied this malware to Iron Group which is a threat actor group previously known for ransomware attacks.

According to the blog post, Xbash has coinmining, self-propagating and ransonware capabilities. It also possesses some capabilities which are when implemented, can enable the malware to spread fairly rapidly within an organization’s network, in similar ways like WannaCry or Petya/NotPetya.

Xbash Characteristics

Commenting on the characteristics of this new malware, Unit 42 researchers wrote, “Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers. After further investigation we realized it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year. We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.”

The Iron Group previously aimed at developing and spreading cryptocurrency transaction hijacking or miners Trojans which were mostly intended for targeting Microsoft Windows. However, Xbash is aimed at discovering all unprotected services, deleting users’ MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Three known vulnerabilities being used by Xbash for infecting Windows Systems are Hadoop, Redis and ActiveMQ.

Xbash mainly spreads by targeting any unpatched vulnerabilities and weak passwords. It is data-destructive, implying that it destroys Linux-based databases as its ransomware capabilities. No functionalities are also present within Xbash that would restore the destroyed data after the ransom is paid off.

Contrary to previous famous Linux botnets like Gafgyt and Mirai, Xbash is a next-level Linux botnet which extends its target to public websites as it targets domains and IP addresses.

Xbash generates list of IP addresses in victim’s subnet and perform port scanning (Palo Alto Networks)

There are some other specifics on the malware’s capabilities:

  • It possesses botnet, coinmining, ransomware and self-propagation capabilities.
  • It targets Linux-based systems for its ransomware and botnet capabilities.
  • It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities.
  • The ransomware component targets and deletes Linux-based databases.
  • To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US $6,000 total (at the time of this writing).
  • However, there’s no evidence that the paid ransoms have resulted in recovery for the victims.
  • In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.
  • Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the “HackingTeam” in 2015.

Protection against Xbash

Organizations can use some techniques and tips given by Unit 42 researchers in order to protect themselves from possible attacks by Xbash:

  1. Using strong, non-default passwords
  2. Keeping up-to-date on security updates
  3. Implementing endpoint security on Microsoft Windows and Linux systems
  4. Preventing access to unknown hosts on the internet (to prevent access to command and control servers)
  5. Implementing and maintaining rigorous and effective backup and restoration processes and procedures.
Close