Xbash Malware Targets Windows and Linux Servers

Delaware, USA – September 18, 2018 — Iron cybergang developed XBash malware with worm-like spreading mechanism. Malware attacks Windows and Linux servers and uses ransomware or coinminer module depending on the operating system. Researchers from Palo Alto Networks discovered XBash during the investigation of ransomware attacks, and further analysis of malware helped to link it to the Iron group. Despite the fact that the Iron group appeared less than two years ago, there are many cross-platform malware in their arsenal, there are also clues pointing out that these cybercriminals located in China and choose their targets in the Asian region. XBash combines botnet, coinmining and ransomware capabilities. When malware infects a Linux server, it deletes MongoDB, PostgreSQL and MySQL databases and then asks for a reasonable ransom payment for their recovery, then it requests the IP addresses and domain names from the command and control server to start compromise attempts exploiting vulnerabilities in Hadoop, Redis and ActiveMQ. If a vulnerable server is running Microsoft Windows, XBash sends VBScript or JavaScript to it that installs the cryptocurrency miner component.

The researchers discovered 4 versions of the malware, the first of which is active since May 2018. XBash is still under development since it has not yet activated the ability to spread across the organization’s network after the initial infection of the server. To detect cyber attacks on your critical web resources, you can leverage SIEM and Web Application Security Framework rule pack from Threat Detection Marketplace: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight