14 DAY TRIAL // Palo Alto Networks' Unit 42 research team discovered a new malware class capable of targeting Linux and Windows servers, combining coin-mining, botnet and ransomware capabilities in a self-spreading worm package.
As detailed by Unit 42, the new malware family named Xbash is tied to the Iron Group, a threat actor previously known to perform ransomware attacks, which apparently has moved on to more complex attack vectors.
Xbash has been observed to propagate between servers using a combination of exploitable vulnerabilities and weak password brute-forcing and, unlike other ransomware, comes with data destruction features enabled by default with no restoration functionality making file recovery virtually impossible.
Moreover, Xbash's botnet and ransomware components target Linux servers by exploiting unprotected and vulnerable yet unpatched services, immediately erasing MySQL, PostgreSQL, and MongoDB databases and asking for Bitcoin ransoms to (hypothetically) restore the data.
On the other hand, Xbash's coin-mining and self-propagation modules aim for breaching Windows systems using known vulnerabilities in unpatched Hadoop, Redis, and ActiveMQ databases.
Xbash uses an inventive method of packaging multiple classes of threats within a self-propagating worm
Furthermore, Xbash has self-spreading aptitudes which resemble the ones of Petya/NoPetya and WannaCry and a collection of propagating capabilities not yet enabled but that could allow it to rapidly spread within an enterprise or a home network.
Xbash also comes with anti-detection abilities powered by code compilation, code compression, and conversion, as well as code encryption, all working to obfuscate its malicious conduct to prevent anti-malware tools to detect it.
Unit 42 already found 48 incoming transactions to the hard-coded wallets within Xbash's ransomware component totaling $6000, which means that the new malware family is already active and collecting ransoms from victims.
As reported by Palo Alto Networks' research team, there are a number of mitigation measures companies and individuals can take to protect their systems against Xbash.
Thus, they have to use strong passwords, always install security updates for the OS and programs, make data backups as frequently as possible, and restrict access to unknown remote servers to block the malware to contact its command and control servers for further instructions.
