Xbash Malware Combines Features of Ransomware, Coin Mining and Botnet


An all-in-one destructive malware has been discovered in the wild that features multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting Linux and Windows systems.

The new malware which has been dubbed as XBash is believed to be bind to the Iron Group, a.k.a. Rocke—the Chinese speaking APT threat actors group known for previous cyber-attacks involving ransomware and cryptocurrency miners.

The malware was revealed by the researchers from security vendor Palo Alto Networks and according to them it is an all-in-one malware that features ransomware and cryptocurrency mining capabilities, as well as worm-like ability similar to WannaCry.

Besides self-propagating capabilities, XBash has a functionality that could allow the malware to spread quickly within an organization’s network, but this has not been implemented yet.

XBash is developed in Python and it searches for vulnerable or unprotected web services and deletes databases such as MySQL, PostgreSQL, and MongoDB running on Linux servers, as part of its ransomware capabilities.

It has been designed to scan for services on a target IP, on both TCP and UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL.

When they find an open port, the malware performs brute force attack into the vulnerable system by using a weak username and password. When they enter it deletes all the databases and then displays the ransom note.

The malware does not contain any functionality by itself that would allow the recovery of the deleted databases once a ransom amount has been paid by the victims.

As of now XBash has infected at least 48 victims, who have already paid the ransom, making about $6,000 for cybercriminals behind the threat. But there are no evidence for data being recovered even after making the payments.

The malware can add targeted Linux-based systems in a botnet.

XBash Malware Exploits Flaws in Hadoop, Redis, and ActiveMQ

XBash targets Microsoft Windows machines only for cryptocurrency mining and self-propagation. For self-propagation, it exploits three known vulnerabilities in Hadoop, Redis, and ActiveMQ:

  • Hadoop YARN ResourceManager unauthenticated command execution bug disclosed in October 2016 and has no CVE number assigned.
  • Redis arbitrary file writes, and remote command execution vulnerability disclosed in October 2015 with no CVE number assigned.
  • ActiveMQ arbitrary file write vulnerability (CVE-2016-3088), disclosed in earlier 2016.

If the entry point is a vulnerable Redis service, Xbash will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows instead of its botnet and ransomware module.

After developing in Python, the XBash will be converted to Portable Executable (PE) using PyInstaller, which can create binaries for multiple platforms, including Windows, Apple macOS, and Linux, and also provides anti-detection.

This enables XBash to be truly cross-platform malware.

Users can protect themselves against XBash by

  • change default login credentials on your systems
  • use strong and non-default passwords
  • keep operating system and software up-to-date
  • avoid downloading and running untrusted files or clicking links
  • take backup of their data regularly
  • prevent unauthorized connection using a firewall.
Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Mirai Botnet Creators Help FBI Fight Cybercrime

    Previous article

    Magecart Stole Customers’ Credit Cards From Newegg Electronics Retailer

    Next article

    You may also like

    More in Ransomware


    Leave a reply

    Your email address will not be published. Required fields are marked *