Destructive Xbash Linux Malware Targets Enterprise Intranets

A newly discovered piece of Linux malware that features both ransomware and crypto-currency mining capabilities appears designed to target enterprise intranets, Palo Alto Networks security researchers say.

Dubbed Xbash and believed to be tied to the Iron Group, a threat actor known for previous ransomware attacks, the malware can target both Linux and Windows servers.

It contains a Python class that allows it to find IP addresses on a subnet and scan the ports on these IPs, likely to spread to the local network. In addition to self-propagating capabilities, the malware contains functionality not yet implemented that could allow it to spread fast within an organization’s network.

The servers that provide services internally on an enterprise network are more likely to be configured with weak credentials or to be unprotected compared to those accessible over the public web.

“We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled,” Palo Alto Networks says.

Xbash, the researchers discovered, spreads by targeting weak passwords and unpatched vulnerabilities.

As part of its ransomware capabilities, it destroys Linux-based databases. It deletes resources such as MySQL, PostgreSQL and MongoDB databases, but contains no functionality that would allow their recovery once a ransom has been paid. The malware can ensnare targeted Linux-based systems in a botnet.

The Microsoft Windows-based systems, on the other hand, are only targeted for crypto-mining and self-propagation (it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for spreading), the security researchers have discovered.

To date, the malware made at least 48 victims who already paid the ransom, incoming transactions to the used wallets reveal. The cybercriminals behind the threat made about 0.964 Bitcoin ($6,000) to date.

Developed using Python, Xbash was then converted into self-contained Linux ELF executables using PyInstaller, which can create binaries for multiple platforms and also provides anti-detection. The malware fetches from the command and control (C&C) server the list of IP addresses to target.

The security researchers discovered four versions of Xbash so far and concluded that the malware is under active development. The botnet appears to have started operating as early as May 2018.

The malware has multiple domains hard-coded and also fetches a webpage hosted on Pastebin to update the list (some of the domains have been previously associated with the Iron Group). Communication with the C&C is performed using HTTP.

In addition to IP addresses, Xbash targets domains, the security researchers say. This makes the threat a next step in the evolution of botnets, as they normally only target IPs.

The malware scans many TCP or UDP ports for spreading purposes, namely those associated with HTTP, VNC, MySQL, Memcached, MySQL/MariaDB, FTP, Telnet, PostgreSQL, Redis, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, Rsync, Oracle database, and CouchDB.

“Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group,” Palo Alto Networks concludes.

Related: New Backdoor Based on HackingTeam’s Surveillance Tool

Related: Cross-Platform Mirai Variant Leverages Open-Source Project

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: