Tuesday, July 16, 2024

New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities

Newly discovered Xbash malware with multiple capabilities such as  Botnet, Ransomware & Coinminer to compromise windows and Linux machine which is controlled under the Iron-based threat actor group.

Xbash malware has strong intrusion capabilities especially using ransomware and coin mining along with the self-replicative function to propagate across the infected network to compromise the vulnerable system.

It also targets the Linux-based databases to attack using its ransomware and botnet capabilities but it won’t restore the infected files after victims paid the ransom, which means that it posed as ransomware but actually destruct the infected machine data.

During the research, Attackers earned around $6000 from 48 compromised victims and there is no evidence that they have been restored their files after victims paid the ransom amount.

The researchers named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously spreading malicious Crypto-miners by Iron cyber criminals mainly targeting the windows machine and very few Linux based Database but current Xbash malware targeting the unprotected services to delete the victim’s MySQL, PostgreSQL and MongoDB databases.

Xbash Malware Attack Functionality

Xbash initial stage of attack starts by scanning the vulnerable Redis services to find out whether the target running on Windows or not.

Once it figures it out that the target is windows then it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.

Xbash author using the new unknown technique to scan the vulnerable servers in the enterprise Intranet.

Malware authors developed this Xbash malware using phyton and later it’s being converted into PE executable using PyInstaller because Python can be easier and faster than in C, C++.

The researcher said, “PyInstaller’s code compilation, code compression/conversion, and optional code encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis.”

Also, PyInstaller help to create a binary for cross-platform such as windows, Apple macOS and Linux.

After the successful infection on the victim’s machine, it communicates with its Command and control servers using its bunch of hardcoded domains.

In this case, there are 3  kinds of C2 traffic has been established based on the HTTP protocol communication.

  1. One for fetching a list of IP addresses or domains for scanning
  2. One for fetching a list of weak passwords, in addition to using hard-coded passwords
  3. One for reporting scan results

Scanning And Exploitation

Unlike other botnets like Mirai and Gafgyt, Xbase malware not only scan the IP address but it extending the targets to public websites by targeting domains as well as IP addresses.

During the scanning process, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute force.

Once Xbash malware successfully finds the specific open ports weak credentials or exploitable, unpatched vulnerability then it will report to the attacker via command and control server.

Xbash exploiting Redis vulnerability

Also when Xbash Malware finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation and it uses Redis and HTTP service to determine if the vulnerable Redis service is installed on Linux or Microsoft Windows.

According to Palo Alto Networks Research, If Xbash successfully logs in to a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all existing databases in the server (except for some databases that stored user login information), create a new database named “PLEASE_READ_ME_XYZ”, and insert a ransom message into table “WARNING” of the new database.

The researcher also finds that all version of  Xbash contains Python class named “LanScan”. Its functions are to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs and the chances of finding vulnerable services within an Intranet is much higher than over the public Internet. We believe that is the main motivation of Xbash’s Intranet scanning code. Researchers said.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data


Latest articles

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles