Renewed XBash Targets Servers Bypassing Cloud Security

Delaware, USA – January 21, 2019 – Cryptocurrency mining malware sustains efforts to be on the edge of the most distributed threats. Researchers from Palo Alto Networks analyzed a new strain of XBash malware that embodies features of ransomware, coinminers, botnets, and worms to affect Linux servers, with the new code being able to bypass cloud security and to gain full control over the hosts.

The XBash malware is attributed to the Iron hacking group whose activity was revealed in the year 2018. The threat actor is known for distributing malware using Git repositories, HttpFileServers, the variety of payloads with shell scripts and JavaScript backdoors. The Iron group is constantly expanding their toolset as well as elaborating social engineering in their activities including fake updates.
The new XBash is developed in Python and compiled to PE executable using PyInstaller to avoid detection by AV solutions. Unlike other Linux botnets, XBash also targets websites scanning domains as well as IP addresses. Once the malware logins into a system, it will download the “a7” shell script to kill other cryptocurrency mining malware, uninstall cloud security products and hide the cryptocurrency mining process from Linux ps command. To uncover botnet activity in your infrastructure and detect servers misuse, you can use your ArcSight with Web Application Security Framework rule pack: