Tuesday, October 8, 2024
HomeBotnetNew Xbash Malware Attack on Linux & Windows with Botnet, Ransomware &...

New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities

Published on

Newly discovered Xbash malware with multiple capabilities such as  Botnet, Ransomware & Coinminer to compromise windows and Linux machine which is controlled under the Iron-based threat actor group.

Xbash malware has strong intrusion capabilities especially using ransomware and coin mining along with the self-replicative function to propagate across the infected network to compromise the vulnerable system.

It also targets the Linux-based databases to attack using its ransomware and botnet capabilities but it won’t restore the infected files after victims paid the ransom, which means that it posed as ransomware but actually destruct the infected machine data.

- Advertisement - EHA

During the research, Attackers earned around $6000 from 48 compromised victims and there is no evidence that they have been restored their files after victims paid the ransom amount.

The researchers named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously spreading malicious Crypto-miners by Iron cyber criminals mainly targeting the windows machine and very few Linux based Database but current Xbash malware targeting the unprotected services to delete the victim’s MySQL, PostgreSQL and MongoDB databases.

Xbash Malware Attack Functionality

Xbash initial stage of attack starts by scanning the vulnerable Redis services to find out whether the target running on Windows or not.

Once it figures it out that the target is windows then it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.

Xbash author using the new unknown technique to scan the vulnerable servers in the enterprise Intranet.

Malware authors developed this Xbash malware using phyton and later it’s being converted into PE executable using PyInstaller because Python can be easier and faster than in C, C++.

The researcher said, “PyInstaller’s code compilation, code compression/conversion, and optional code encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis.”

Also, PyInstaller help to create a binary for cross-platform such as windows, Apple macOS and Linux.

After the successful infection on the victim’s machine, it communicates with its Command and control servers using its bunch of hardcoded domains.

In this case, there are 3  kinds of C2 traffic has been established based on the HTTP protocol communication.

  1. One for fetching a list of IP addresses or domains for scanning
  2. One for fetching a list of weak passwords, in addition to using hard-coded passwords
  3. One for reporting scan results

Scanning And Exploitation

Unlike other botnets like Mirai and Gafgyt, Xbase malware not only scan the IP address but it extending the targets to public websites by targeting domains as well as IP addresses.

During the scanning process, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute force.

Once Xbash malware successfully finds the specific open ports weak credentials or exploitable, unpatched vulnerability then it will report to the attacker via command and control server.

Xbash exploiting Redis vulnerability

Also when Xbash Malware finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation and it uses Redis and HTTP service to determine if the vulnerable Redis service is installed on Linux or Microsoft Windows.

According to Palo Alto Networks Research, If Xbash successfully logs in to a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all existing databases in the server (except for some databases that stored user login information), create a new database named “PLEASE_READ_ME_XYZ”, and insert a ransom message into table “WARNING” of the new database.

The researcher also finds that all version of  Xbash contains Python class named “LanScan”. Its functions are to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs and the chances of finding vulnerable services within an Intranet is much higher than over the public Internet. We believe that is the main motivation of Xbash’s Intranet scanning code. Researchers said.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...