Cryptomining, ransomware and botnet capabilities utilizing Xbash malware targeting Windows and Linux servers
The new malware strain, dubbed Xbash, was recently discovered by Palo Alto Networks. The deadly virus posses ransomware, cryptojacking, botnet and worm capabilities, and targets Windows and Linux servers. The most vulnerable are those who do not patch their systems, in addition to victims using weak passwords and usernames.
Ryan Olson, the vice president of threat intelligence at Unit 42 said:
Taken as a whole, we've not [before] seen this combination of ransomware, coinmining, worm capabilities, and targeting both Linux and Windows systems.
According to researchers, Xbash malware can be tied to the Iron Group hackers, that was actively distributing ransomware in past years, as well as infecting computers with crypto-mining malware. The group is known for their Monero mining habits and also can be traced to China.
Criminals' willingness to a switch the business model from ransomware to cryptomining is quite common, as it seems to be more profitable. That is why Iron Cybercrime Group was spreading the devastating Rocke virus since 2018, which was abusing systems' resources to mine Monero.
Unfortunately for victims, however, the hackers now came up with the malware combining many aspects, which allows it to self-propagate and selectively inject coinminer into Windows systems, while picking ransomware-type infection for Linux.
The general infection of Xbash functions as a botnet for all the malicious activity. The internet-wide scanner targets devices that have unpatched software or use weak credentials for protection.
Linux servers suffer from traditional ransomware functionality
Unit 42 expert group stated that Xbash attacks Windows and Linux differently. Ransomware and botnet features used when targeting Linux servers and cryptocurrency mining are propagated on Windows OS servers.
Ransomware function of Xbash is designed to delete databases on targeted Linux systems. As typical crypto-extortionist, this virus demands to pay up for the encrypted data inside the ransom note that is left after MySQL, MongoDB, and PostgreSQL databases are deleted. However, there is no possibility to recover files after encryption, therefore, users who pay criminals lose their money. The malware is solely not configured to back up the data it encrypts.
The victim is asked to pay 0.02 Bitcoin to recover locked files. The Bitcoin wallet associated with hackers already received 0.96 BTC from 48 transactions.
Windows servers are used to mine cryptocurrency on the infected network
While Linux OS can get infected while using exploits to utilize Hadoop, Redis or ActiveMQ servers, Windows machines can only be affected if the entry point is a susceptible Redis server. A different module is loaded instead of the standard ransomware and botnet, and coin mining segment is unloaded instead.
According to research, the scan module is capable of scanning for Windows services that were left unprotected while connected to the internet. Those who use weak usernames and passwords are also at risk.
The botnet module of Xbash will attempt to brute-force its way to the following services:
- Oracle DB
- MySQL, etc.
The wide scanning allows hackers to reach the number of infected machines much faster, meaning that profits from coin mining increase rapidly, although it currently not known how much bad actors earned so far from this activity.
Additionally, the worm component of Xbash allows it self-propagate within the network of the company immediately. Nevertheless, researches say that this feature is not fully developed yet. The worm is meant to check for a long list of ports and services before infecting all the machines on the network.
To conclude, Xbash will be most likely coming back even stronger with improved functionality and the coin mining feature for Linux operating systems, allowing hackers to earn even more than they do right now.