Xbash: malware for ransoming Linux DBs and Windows crypto-mining

Credit: ID 124557949 © Nexusby | Dreamstime.com

Malware that’s infecting Linux servers and deleting databases for ransom also searches vulnerable Windows servers to exploit for cryptocurrency mining. 

The malware, dubbed Xbash by Palo Alto Network’s Unit 42, has two sets of features for Linux and Windows machines it may infect. For Linux machines, Xbash can destroy data hosted in MySQL, PostgreSQL and MongoDB databases, and demand ransom for Bitcoins.

It also employs three known vulnerabilities in Hadoop, Redis, and ActiveMQ for achieving  network worm behavior or infecting Windows systems, which are forced to run a cryptocurrency miner. 

In the event that Xbash can exploit a vulnerable Redis database, it confirms whether that service is running on Windows and uses malicious JavaScript or VBScript to download and execute a coinminer for Windows. 

Unit 42 researchers believe Xbash one-upped previously known Linux botnets such as Mirai because it scans for IP addresses and domain names, rather than only the former. 

Because of domain name scanning, IP-focussed honeypots are less effective for researchers to monitor  Xbash, offering the attackers way to frustrate analysis. 

The main targets the malware is seeking through domain and IP address scanning are open TCP and UDP ports, weak credentials, an unmatched vulnerabilities. 

If it finds an open port it will use a dictionary attack in search of weak username and password combinations used to protect VNC, Rsync, MySQL, MariaDB, Memcached, PostgreSQL, MongoDB, and phpMyAdmin. 

A potential looming threat Xbash poses for the enterprise is a feature called "LanScan" that scans corporate intranets for IP addresses in the same subnet. This code was "underutilized", but could if activated offer Xbash similar capabilities to last year's WannaCry and NotPetya attacks, which spread rapidly across internal networks following a single infection. 

Read more: After Linux DoS alerts, Cisco warns security devices can be remotely attacked too

The concern is based on the fact that servers supporting office networks, data centers and private clouds, often provide more services internally than publicly and these services are less likely to rely on strong passwords because they're meant to be internal. 

"The chance of finding vulnerable services within an Intranet is much higher than over the public Internet. We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled," Unit 42 warned.  

The ransom messages on Linux databases attacked by Xbash were similar the notes left on hijacked MongoDB and other open source databases last year.  

Unit 42 believe Xbash is a derivative of a botnet and ransomware developed by a cybercrime group called Iron, also known as Rocke, which Cisco’s Talos researchers recently labeled the “champion of Monero miners” and traced several website registrations to Jiangxi Province in China. 

They’ve found four variants of Xbash and believe the malware is under active development. For now though Xbash could be ‘one to watch’ as wallets linked to the ransoms have only been observed receiving 48 incoming transactions worth about $6,000.    

Tags LinuxWindowsmysqlpostgresqlmemcachedMongoDBMariaDB

Show Comments