Xbash malware has strong intrusion capabilities especially using ransomware and coin mining along with the self-replicative function to propagate across the infected network to compromise the vulnerable system.
It also targets the Linux-based databases to attack using its ransomware and botnet capabilities but it won’t restore the infected files after victims paid the ransom, which means that it posed as ransomware but actually destruct the infected machine data.
During the research, Attackers earned around $6000 from 48 compromised victims and there is no evidence that they have been restored their files after victims paid the ransom amount.
The researchers named this new malware “Xbash”, based on the name of the malicious code’s original main module.
Previously spreading malicious Crypto-miners by Iron cyber criminals mainly targeting the windows machine and very few Linux based Database but current Xbash malware targeting the unprotected services to delete the victim’s MySQL, PostgreSQL and MongoDB databases.
Xbash Malware Attack Functionality
Xbash initial stage of attack starts by scanning the vulnerable Redis services to find out whether the target running on Windows or not.
Xbash author using the new unknown technique to scan the vulnerable servers in the enterprise Intranet.
Malware authors developed this Xbash malware using phyton and later it’s being converted into PE executable using PyInstaller because Python can be easier and faster than in C, C++.
The researcher said, “PyInstaller’s code compilation, code compression/conversion, and optional code encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis.”
Also, PyInstaller help to create a binary for cross-platform such as windows, Apple macOS and Linux.
After the successful infection on the victim’s machine, it communicates with its Command and control servers using its bunch of hardcoded domains.
In this case, there are 3 kinds of C2 traffic has been established based on the HTTP protocol communication.
- One for fetching a list of IP addresses or domains for scanning
- One for fetching a list of weak passwords, in addition to using hard-coded passwords
- One for reporting scan results
Scanning And Exploitation
Unlike other botnets like Mirai and Gafgyt, Xbase malware not only scan the IP address but it extending the targets to public websites by targeting domains as well as IP addresses.
During the scanning process, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute force.
Once Xbash malware successfully finds the specific open ports weak credentials or exploitable, unpatched vulnerability then it will report to the attacker via command and control server.
Also when Xbash Malware finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation and it uses Redis and HTTP service to determine if the vulnerable Redis service is installed on Linux or Microsoft Windows.
According to Palo Alto Networks Research, If Xbash successfully logs in to a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all existing databases in the server (except for some databases that stored user login information), create a new database named “PLEASE_READ_ME_XYZ”, and insert a ransom message into table “WARNING” of the new database.
The researcher also finds that all version of Xbash contains Python class named “LanScan”. Its functions are to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs and the chances of finding vulnerable services within an Intranet is much higher than over the public Internet. We believe that is the main motivation of Xbash’s Intranet scanning code. Researchers said.