Dubbed XBash, the novel malware, believed to live tied to the Iron Group, a.k.a. Rocke—the Chinese speaking APT threat actors grouping known for previous cyber attacks involving ransomware in addition to cryptocurrency miners.
According to the researchers from safety vendor Palo Alto Networks, who WannaCry or Petya/NotPetya.
In improver to self-propagating capabilities, XBash every bit good contains a functionality, which is non even thence implemented, that could allow the malware to spread speedily inside an organization's network.
Developed inwards Python, XBash hunts for vulnerable or unprotected spider web services in addition to deletes databases such every bit MySQL, PostgreSQL, in addition to MongoDB running on Linux servers, every bit percentage of its ransomware capabilities.
Important: Paying Ransom Will Get You Nothing!
Xbash has been designed to scan for services on a target IP, on both TCP in addition to UDP ports such every bit HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin in addition to PostgreSQL.
Once uncovering an opened upward port, the malware uses a weak username in addition to password lexicon laid on to creature forcefulness itself into the vulnerable service, in addition to in 1 trial in, deletes all the databases in addition to and thence displays the ransom note.
What's worrisome is that the malware itself does non incorporate whatever functionality that would allow the recovery of the deleted databases in 1 trial a ransom sum has been paid yesteryear the victims.
To date, XBash has infected at to the lowest degree 48 victims, who get got already paid the ransom, making well-nigh $6,000 to appointment for cybercriminals behind the threat. However, researchers encounter no evidence that the paid payments get got resulted inwards the recovery of information for the victims.
The malware every bit good has capabilities to add together targeted Linux-based systems inwards a botnet.
XBash Malware Exploits Flaws inwards Hadoop, Redis, in addition to ActiveMQ
On the other hand, XBash targets Microsoft Windows machines exclusively for cryptocurrency mining in addition to self-propagation. For self-propagation, it exploits 3 known vulnerabilities inwards Hadoop, Redis, in addition to ActiveMQ:
- Hadoop YARN ResourceManager unauthenticated ascendancy execution põrnikas disclosed inwards Oct 2016 in addition to has no CVE publish assigned.
- Redis arbitrary file writes, in addition to remote ascendancy execution vulnerability disclosed inwards Oct 2015 alongside no CVE publish assigned.
- ActiveMQ arbitrary file write vulnerability (CVE-2016-3088), disclosed inwards before 2016.
If the entry indicate is a vulnerable Redis service, Xbash volition post malicious JavaScript or VBScript payload for downloading in addition to executing a coinminer for Windows instead of its botnet in addition to ransomware module.
As mentioned above, Xbash is developed inwards Python in addition to and thence was converted to Portable Executable (PE) using PyInstaller, which tin lavatory do binaries for multiple platforms, including Windows, Apple macOS, in addition to Linux, in addition to every bit good provides anti-detection.
This, inwards turn, enables XBash to live really cross-platform malware, though, at the fourth dimension of writing, researchers establish samples exclusively for Linux in addition to did non encounter whatever Windows or macOS versions of Xbash.
Users tin lavatory protect themselves against XBash yesteryear next basic cybersecurity practices, including:
- change default login credentials on your systems,
- use rigid in addition to unique passwords,
- keep your operating scheme in addition to software up-to-date,
- avoid downloading in addition to running untrusted files or clicking links,
- take backup of their information regularly, and
- prevent unauthorized connecter using a firewall.
