Delaware, USA – January 21, 2019 – Cryptocurrency mining malware sustains efforts to be on the edge of the most distributed threats. Researchers from Palo Alto Networks analyzed a new strain of XBash malware that embodies features of ransomware, coinminers, botnets, and worms to affect Linux servers, with the new code being able to bypass cloud security and to gain full control over the hosts.
The new XBash is developed in Python and compiled to PE executable using PyInstaller to avoid detection by AV solutions. Unlike other Linux botnets, XBash also targets websites scanning domains as well as IP addresses. Once the malware logins into a system, it will download the “a7” shell script to kill other cryptocurrency mining malware, uninstall cloud security products and hide the cryptocurrency mining process from Linux ps command. To uncover botnet activity in your infrastructure and detect servers misuse, you can use your ArcSight with Web Application Security Framework rule pack: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight