12/24/2023 0 Comments Pastebox for pcCode and timestamp differences among these versions show that it’s still under active development. We have discovered four different versions of Xbash so far. We see this functionality in the samples but, interestingly, it has not been enabled that we can see. Intranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet.If so, it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows. Targets Windows and Linux: When exploiting vulnerable Redis service, Xbash will also figure out whether the service is running on Windows or not.By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting. Targets IP addresses and Domain Names: Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. ![]() Developed in Python: Xbash was developed using Python and then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.Other new technical characteristics in Xbash that are worth noting: Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows system. Instead, Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly for Microsoft Windows and only a few for Linux. We have named this new malware “Xbash”, based on the name of the malicious code’s original main module. After further investigation we realized it’s a combination of botnet and ransomware that developed by an active cybercrime group Iron (aka Rocke) in this year. Recently Unit 42 used WildFire to identify a new malware family targeting Linux servers. Our analysis shows this is likely the work of the Iron group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.However, as see no evidence that the paid ransoms have resulted in recovery for the victims.To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US$6,000 total (at the time of this writing).The ransomware component targets and deletes Linux-based databases.It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities.It targets Linux-based for its ransomware and botnet capabilities.It combines botnet, coinmining, ransomware and self-propagation.Palo Alto Networks customers are protected against this threat as outlined at the end of this blog.īelow are some more specifics on Xbash’s capabilities: Implementing and maintaining rigorous and effective backup and restoration processes and procedures.Preventing access to unknown hosts on the internet (to prevent access to command and control servers).Implementing endpoint security on Microsoft Windows AND Linux systems.Organizations can protect themselves against Xbash by: This means that, like NotPetya, Xbash is data destructive malware posing at ransomware. We can also find NO functionality within Xbash that would enable restoration after the ransom is paid. Xbash is data-destructive destroying Linux-based databases as part of its ransomware capabilities. Xbash spreads by attacking weak passwords and unpatched vulnerabilities. It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya). It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). Xbash has ransomware and coinmining capabilities. We can tie this malware to the Iron Group, a threat actor group known for ransomware attacks in the past. Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers that we have named XBash.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |