The New XBash Malware with Ransomware, Cryptocurrency, Botnets Features

The New XBash Malware with Ransomware, Cryptocurrency, Botnets Features

A new malware, dubbed XBash piece was discovered by Security researchers at Palo Alto Networks says that it is targeting both Linux and Microsoft Windows servers.

The malware Developed in Python, Xbash developers convert it into the Linux ELF executable by compromising the legitimate tool PyInstaller for distribution.

The malware contains codes from different malware such as ransomware, cryptocurrency miners, worms, botnets.

The analysis published by the Palo Alto Network read “Xbash has ransomware and coin-mining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).”

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organization’s network (again, much like WannaCry or Petya/NotPetya).”

It is said that the popular crime gang ‘Iron Group’ is behind this malicious code. This group has been active since 2016, and have sent out different strains of malware, including cryptocurrency miners, backdoors, and ransomware to target both desktop systems and mobile.

Intezer published a report which says “In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.”

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

After the findings by Palo Alto Networks that the new XBash malware strain that combines botnet, ransomware, and coin-mining. Linux systems are showing signs of botnets and ransomware infections, and Windows serves was seen in coin miner infection.

The Xbash malware was developed with scanning capabilities that it used to search for vulnerable servers online. It would look for unpatched web applications that are vulnerable to known exploits or to brute force attack.

“When Xbash finds a network that has Redis, Hadoop or ActiveMQ running, it will try to exploit the service for self-propagation. Besides this the three other known vulnerabilities.

Hadoop YARN ResourceManager unauthenticated command execution, which has no CVE number assigned and was first disclosed in October 2016.
Redis arbitrary file writes and remote command execution, which again has no CVE number assigned and was first disclosed in October 2015. ActiveMQ arbitrary file writes vulnerability, CVE-2016-3088.

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Xbash scanner runs through the runs across the Internet, looking for a service that is left exposed without a password or weak password. It first target HTTP servers, MariaDB, VNC, PostgreSQL, OracleDB, MongoDB, ElasticSearch, Oracle DB, CouchDB, UPnP/SSDP, NTP, Memcached, FTP, Telnet, RDP, Rlogin, Rsh, DNS, SNMP, LDAP, Rexec and Rsync.

Hackers adapt their efforts through coin-mining exercises on a Windows system or with a ransomware attack in light of Linux servers running database services.

The XBash part will check and erase MySQL, MongoDB, and PostgreSQL databases and drops a ransom of 0.02 Bitcoin ($125) to recuperate them.

Nevertheless, the victim will never get his locked data because those are already deleted by the malware.

The analysis further reports “We have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with a total income of about 0.964 bitcoins. The funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks. The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs.

The crooks are working on its development since the code is still not active in the malware.

Experts believe XBash is here to stay and the Linux servers will also have its share of woes.

For more info, one can go through the analysis published by the experts.

Kevin Jones951 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like and others.


Leave a Comment

comodo partner

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password