New Xbash worms with botnet, ransomware and mining cryptocurrency functions

Palo Alto Networks’ Unit 42 research team has discovered a new class of malware that combines cryptocurrency mining, botnet and ransomware capabilities into a self-extended worm package for Linux and Windows servers. As detailed in Unit 42, the new malware family called Xbash worms is related to the Iron Group, a threat actor previously known to be able to perform ransomware attacks, apparently turning to more sophisticated attack vectors.

It has been observed that Xbash uses a combination of exploitable vulnerabilities and weak passwords to spread between servers. Unlike other ransomware, data destruction is enabled by default. Without recovery, it is almost impossible to recover files. Besides, Xbash’s botnet and ransomware components use the unprotected and vulnerable but unpatched services to locate Linux servers, immediately clear MySQL, PostgreSQL, and MongoDB databases, and require Bitcoin ransom to recover data.

On the other hand, Xbash’s cryptocurrency mining and self-propagation module are designed to exploit Windows vulnerabilities in known unpatched Hadoop, Redis, and ActiveMQ databases. Also, Xbash can self-propagate, similar to the capabilities of Petya / NoPetya and WannaCry, and the set of propagation features that have not yet been enabled, but can be quickly spread across corporate or home networks.

Xbash also has anti-detection capabilities supported by code compilation, code compression and conversion, and code encryption, all of which obscure its malicious behavior to prevent anti-malware tools from detecting it. Unit 42 has found that 48 hard-coded wallets that are passed into the Xbash ransomware component total $6,000, which means the new malware series is already active and collects the victim’s ransom.