XBash Malware

Triple Threat! XBash = Ransomware, Botnet, & Coin Mining

Talk about a Hat Trick. XBash will beat you down 3 ways with 1 piece of malware. First, it installs a bot that allows the hacker to use your system for other attacks, includes brute forcing passwords, denial of service attacks, and even spamming porn to the world.

Then it installs a coin miner to mine bitcoins in the background making your computer run slower, and slower, and slower, using your system to make them money. And then the main course, when they are ready the ransomware will encrypt your key files, lock your system up, and demand $300 to $500 or more in bitcoin to save your files. Read on to find out how to protect your systems.

Introducing XBash

XBash, an all-in-one malware strain that has capabilities such as ransomware, cryptocurrency miner, botnet, and self-propagating worm which targets Linux and Windows systems. Its nature is similar to WannaCry and Iron Group/Rocke.

XBash’s self-propagating capabilities allow the malware to spread quickly within an organization’s network. XBash hunts for vulnerable, unprotected web services where it deletes databases such as MySQL, PostgreSQL, and MongoDB running on Linux servers, demonstrating its ransomware capabilities.

Ransomware Ability

XBash was created to scan for services on a target IP, both ports TCP and UDP, including HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL.

As soon as an open port is found, a brute force dictionary attack is conducted to gain entry into the vulnerable service.  Once XBash is in, it deletes all the databases and leaves a ransom note behind.

XBash was developed to delete databases, but not to recover them.  Even if the ransom amount has been paid by the victims, there’s no way to return the deleted databases.

There have been 48 victims who have already paid the ransom, without recovery of data.  The cybercriminal behind this malware pocketed about $6000 already from this scheme.

Cryptocurrency Mining & Self-Propagation

XBash targets Microsoft Windows machines only for cryptocurrency mining and self-propagation.  Three known vulnerabilities have been reported for self-propagation such as the following:

  • Hadoop YARN ResourceManager unauthenticated command execution bug disclosed in October 2016 and has no CVE number assigned.
  • Redis arbitrary file writes, and remote command execution vulnerability disclosed in October 2015 with no CVE number assigned.
  • ActiveMQ arbitrary file write vulnerability (CVE-2016-3088), disclosed in earlier 2016.

XBash was developed in Python, then converted to Portable Executable (PE) using PyInstaller.  This designs binaries for multiple platforms, such as Windows, Apple macOS, and Linux, along with antidetection.

What Can You Do?

Users can defend against XBash by following these basic cybersecurity practices:

  • change default login credentials on your systems
  • use strong and unique passwords
  • keep your operating system and software up-to-date
  • avoid downloading and running untrusted files or clicking links
  • take backup of their data regularly
  • prevent unauthorized connection using a firewall

Original Article Found Here.

  • 3