XBash Botnet Malware Behaves Differently in Windows and Linux From CryptoMining to Ransomware

Sep.25.2018

Author :Justin Brunnette

Category: IT News

In much of the news in the cyber security realm, Russia seems to be taking up much of the spotlight. Though with good reason too, as the country successfully hacked the DNC servers during the American Presidential campaign as well as cyber attack to Ukraine through the Petya/NotPetya ransomwares costing up to 0.5% of Ukraine’s GDP in economic damages. But much of the news from Russia is overshadowing some interesting developments from the other cybersecurity superpower, China. The Chinese speaking hacking organization, Iron Group, has launched a new destructive ransomware called XBash with interesting capabilities.

 

Researchers at Palo Alto Network’s Unit 42 have discovered XBash in the wild and dubbed it XBash based on the code’s original module. This new strain has combined a large array of strategies such as botnets, cryptomining ransomware and self-propagation. Unit 42 was originally investigating a new type of malware infecting Linux based servers. They found that this Linux stain combined a botnet with ransomware to infect, destroy data and extort money from their victims.

 

XBash contains code of a number of domain names and IP addresses from its C2 servers used for probing for vulnerable servers inside corporate intranets. This strategy is different from other Linux botnets such as Mirai and Gafgyt which typically only scanned for IP addresses. This also has the added benefit of being difficult to analyze for researchers as honeypot deployments are usually for IP addresses only.

 

Unit 42 explain that there are 3 types of URI targeted: 1) /domain/phpmyadmin or /domain/all used to get a list of domains, 2) /port/tcp8080, /port/udp1900 to get IP addresses through TCP or UDP ports or 3) /cidir to get a list of CIDIR of IP addresses.

 

XBash will also send a URI request “/p” to get a list of vulnerable passwords used for brute forcing attacks. Below is a sample code of how XBash may brute force a service like Rsync.

 

 

After it has successfully found port openings, weak credentials or vulnerable patches, it will report it back to a C2 server.

 

XBash will target databases such as MySQL, MongoDB and PostgreSQL and delete its contents. It replaces it with a new database with the name “PLEASE_READ_ME_XYZ” with a message stating that in order to regain access to the database, the victim must pay in bitcoins. But upon further investigation into XBash code, there appears to be no evidence of the malware making a backup of the deleted database, meaning that all the victims data will be lost whether they pay the ransom or not.

 

If XBash finds Hadoop, Redis or ActiveMQ running in their victim network, it exploits it for propagation. When it successfully able to exploit the services, it will execute a shell command to download from their C2 servers Python scripts or create a new cron job to kill any existing coin mining system to use Iron groups own coin mining system.

 

XBash uses Redis and HTTP service to determine whether the Redis service is installed on a Linux or Windows server. When XBash is on a Windows server, it will create a Windows startup item. The startup item will download HTML or Scriptlet file from their C2 server to execute JS or VB code which will in turn run a PowerShell to a malicious PE executable or PE DLL file.

These PE files are coin mining systems or ransomware malware, behaving similarly to the Linux Server version.

 

Unit 42 warns that attackers are broadening their attack by scanning domain names and attacking enterprise Intranets. They are also increasing their victims by gathering vulnerabilities from anywhere they can, whether the vulnerability is new or old or if a CVE was assigned or not.


Original Article: https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/