Xbash malware acts as ransomware on Linux, mines crypto on Windows

by Ugnius Kiguolis - - 2018-09-19

Cryptomining, ransomware and botnet capabilities utilizing Xbash malware targeting Windows and Linux servers

Xbash malware Malware with crypto mining, ransomware and worm capabilities is targeting Linux and Windows servers.

The new malware strain, dubbed Xbash, was recently discovered by Palo Alto Networks.^[1] The deadly virus posses ransomware,^[2] cryptojacking, botnet and worm capabilities, and targets Windows and Linux servers. The most vulnerable are those who do not patch their systems, in addition to victims using weak passwords and usernames.

Ryan Olson, the vice president of threat intelligence at Unit 42 said:

Taken as a whole, we've not [before] seen this combination of ransomware, coinmining, worm capabilities, and targeting both Linux and Windows systems.

According to researchers, Xbash malware can be tied to the Iron Group hackers,^[3] that was actively distributing ransomware in past years, as well as infecting computers with crypto-mining malware. The group is known for their Monero mining habits and also can be traced to China.

Criminals' willingness to a switch the business model from ransomware to cryptomining is quite common, as it seems to be more profitable. That is why Iron Cybercrime Group was spreading the devastating Rocke virus since 2018, which was abusing systems' resources to mine Monero.

Unfortunately for victims, however, the hackers now came up with the malware combining many aspects, which allows it to self-propagate and selectively inject coinminer into Windows systems, while picking ransomware-type infection for Linux.

The general infection of Xbash functions as a botnet for all the malicious activity. The internet-wide scanner targets devices that have unpatched software or use weak credentials for protection.

Linux servers suffer from traditional ransomware functionality

Unit 42 expert group stated that Xbash attacks Windows and Linux differently. Ransomware and botnet features used when targeting Linux servers and cryptocurrency mining are propagated on Windows OS servers.

Ransomware function of Xbash is designed to delete databases on targeted Linux systems. As typical crypto-extortionist, this virus demands to pay up for the encrypted data inside the ransom note that is left after MySQL, MongoDB, and PostgreSQL databases are deleted. However, there is no possibility to recover files after encryption, therefore, users who pay criminals lose their money. The malware is solely not configured to back up the data it encrypts.

The victim is asked to pay 0.02 Bitcoin to recover locked files. The Bitcoin wallet associated with hackers already received 0.96 BTC from 48 transactions.

Windows servers are used to mine cryptocurrency on the infected network

While Linux OS can get infected while using exploits to utilize Hadoop, Redis or ActiveMQ servers, Windows machines can only be affected if the entry point is a susceptible Redis^[4] server. A different module is loaded instead of the standard ransomware and botnet, and coin mining segment is unloaded instead.

According to research, the scan module is capable of scanning for Windows services that were left unprotected while connected to the internet. Those who use weak usernames and passwords are also at risk.

The botnet module of Xbash will attempt to brute-force^[5] its way to the following services:

RDP
HTTP
Oracle DB
FTP
MySQL, etc.

The wide scanning allows hackers to reach the number of infected machines much faster, meaning that profits from coin mining increase rapidly, although it currently not known how much bad actors earned so far from this activity.

Additionally, the worm component of Xbash allows it self-propagate within the network of the company immediately. Nevertheless, researches say that this feature is not fully developed yet. The worm is meant to check for a long list of ports and services before infecting all the machines on the network.

To conclude, Xbash will be most likely coming back even stronger with improved functionality and the coin mining feature for Linux operating systems, allowing hackers to earn even more than they do right now.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Claud Xiao, Cong Zheng and Xingyu Jin. Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Paloaltonetworks. Research center.
^ Ransomware. Techtarget. Search security.
^ Omri Ben Bassat. Iron cybercrime group under the scope. Intezer. Malware analysis.
^ 75% of the 'Left to Get Hacked' Redis Servers Found Infected. The Hacker News. Cybersecurity news platform.
^ Stronger and more frequent Brute Force Attacks are now the norm. Foregenix. Global cybersecurity experts.