New XBash malware combines ransomware, coinminer, botnet, a…
A new malware strain has been discovered in the wild that combines features from four types of malware categories –ransomware, coinminers, botnets, and worms– to create a dangerous cocktail that has been wreaking havoc among Linux and Windows servers.
Named XBash, this new malware strain is the work of a well-known criminal group previously identified under the codenames of Iron [1, 2] and Rocke, and which has been extremely active in the past two years.
Iron has been tied to ransomware distribution campaigns, but also to a massive crypto-mining operation. Cisco Talos has called this group “the champion of Monero miners,” and has hinted the group may be based in China.
Until now, the Iron group has focused on one operation at a time, using specific malware for specific tasks. It deployed ransomware in 2017 and early 2018, and then switched to spreading a cryptocurrency miner (coinminer) in 2018.
But Palo Alto Networks researchers say the group has now rolled out the new XBash malware strain that is a combination of all their previous tactics, rolling a botnet-like structure together with coinminer and ransomware functionality, all into one.
Furthermore, the group also appears to be working on a worm component that self-spreads inside isolated corporate networks.
Still, not all modules are active at the same time though. Palo Alto Networks says the botnet and ransomware features are only active when the malware infects Linux systems, while the coinminer only works on Windows servers.
The way XBash works is by using the botnet module as a base for all its nefarious activity. This module is basically an Internet-wide scanner that searches the Internet for unpatched web applications that are vulnerable to known exploits or which use default credentials.
XBash’s scanner module uses exploits to take over Hadoop, Redis or ActiveMQ servers, where it deploys a copy of its botnet and ransomware module –if they’re Linux systems.
It can also infect Windows systems, but only if the entry point is a vulnerable Redis server. The group uses a special code routine in this case, to deploy a coinminer instead of its standard botnet and ransomware module.
But the scanner module can do more than deliver exploits. Researchers say this module can also port scan the Internet for servers that run services that have been left online exposed without a password or are using weak credentials.
This second scanner module –part of XBash’s botnet functionality– will look for and attempt to brute-force its way into services such as web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.
This provides attackers with a larger attack area and helps their botnet grow faster than similar threats.
But while only Windows systems can be directly monetized through coin-mining operations, Linux instances aren’t left for dead.
Palo Alto Networks researchers say that once XBash has a foothold on Linux servers, the malware scans for the presence of any locally-running database services.
Here is where its ransomware component comes into play. Palo Alto Networks says this XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and leave a ransom note behind.
The ransom note informs victims they’ll have to pay 0.02 Bitcoin ($125) to recover their databases. The ransom note claims the victim’s database has been backed up on the attacker’s server, but researchers say this is not true, as an analysis of XBash’s source code revealed the malware is only configured to wipe data and not back it up.
An analysis of a Bitcoin address found in some ransom notes reveals the group made 0.964 Bitcoin (~$6,000) by tricking victims into paying a ransom for databases they’ve actually deleted.
But besides the botnet, coinminer, and ransomware component, there’s also a worm component, responsible for spreading XBash to internal networks.
Palo Alto Networks says this component is present in the code, but not active in the malware per-se, appearing to be in an in-development phase.
According to their analysis, this module was meant only for deployment on Windows servers and consists of a “LanScan” function that generates a list of IP addresses for the same network subnet the infected host is situated on.
The worm component is supposed to probe the same long list of ports and services listed above, in an attempt to get access to other computers inside a company’s network.
The reason, researchers explain, is that inside corporate networks or intranets, computers situated on the internal network (and not directly connected to the Internet) may have fewer security measures, or may be configured to use weaker passwords than the ones directly connected online.
For now, this feature is not active, but researchers expect to see it go live in future XBash versions.
All in all, XBash is very much a work in progress, and experts expect the Iron group to activate the coinminer component for Linux servers as well, as this would allow crooks to generate even more profits than they’re generating right now.