Article by researchers Claud Xiao, Cong Zheng and Xingyu Jin
Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers.
We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.
Xbash has ransomware and coinmining capabilities.
It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).
It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organisations’ network (again, much like WannaCry or Petya/NotPetya).
Xbash spreads by attacking weak passwords and unpatched vulnerabilities.
Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities.
We can also find no functionality within Xbash that would enable restoration after the ransom is paid.
This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.
Organisations can protect themselves against Xbash by:
- Using strong, non-default passwords
- Keeping up-to-date on security updates
- Implementing endpoint security on Microsoft Windows and Linux systems
- Preventing access to unknown hosts on the internet (to prevent access to command and control servers)
- Implementing and maintaining rigorous and effective backup and restoration processes and procedures.
Below are some more specifics on Xbash’s capabilities:
- It combines botnet, coinmining, ransomware and self-propagation
- It targets Linux-based systems for its ransomware and botnet capabilities
- It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities
- The ransomware component targets and deletes Linux-based databases
- To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US$6,000 total (at the time of publication)
- However, as see no evidence that the paid ransoms have resulted in recovery for the victims
- In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.
- Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.
Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers.
After further investigation, we realised it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year.
We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.
Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux.
Instead, Xbash is aimed at discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins.
Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.
Other new technical characteristics in Xbash that are worth noting:
- Developed in Python: Xbash was developed using Python and was then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
- Targets IP addresses and domain names: Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting.
- Intranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet. We see this functionality in the samples but, interestingly, it has not yet been enabled.
We have discovered four different versions of Xbash so far.
Code and timestamp differences among these versions show that it’s still under active development.
The botnet began to operate as early as May 2018.
Thus far, we’ve observed 48 incoming transactions to the Bitcoin wallet addresses used by the malware, which may indicate 48 victims of its ransom behaviour.