Story image

Pseudo-ransomware Xbash targeting Linux and Windows discovered

18 Sep 2018

Article by researchers Claud Xiao, Cong Zheng and Xingyu Jin 

Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers.

We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.

Xbash has ransomware and coinmining capabilities.

It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).

It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organisations’ network (again, much like WannaCry or Petya/NotPetya).

Xbash spreads by attacking weak passwords and unpatched vulnerabilities.

Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities.

We can also find no functionality within Xbash that would enable restoration after the ransom is paid.

This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.

Organisations can protect themselves against Xbash by:

  1. Using strong, non-default passwords
  2. Keeping up-to-date on security updates
  3. Implementing endpoint security on Microsoft Windows and Linux systems
  4. Preventing access to unknown hosts on the internet (to prevent access to command and control servers)
  5. Implementing and maintaining rigorous and effective backup and restoration processes and procedures.

Below are some more specifics on Xbash’s capabilities:

  • It combines botnet, coinmining, ransomware and self-propagation
  • It targets Linux-based systems for its ransomware and botnet capabilities
  • It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities
  • The ransomware component targets and deletes Linux-based databases
  • To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US$6,000 total (at the time of publication)
  • However, as see no evidence that the paid ransoms have resulted in recovery for the victims
  • In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.
  • Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.


Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers.

After further investigation, we realised it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year.

We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux.

Instead, Xbash is aimed at discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins.

Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.

Other new technical characteristics in Xbash that are worth noting:

  • Developed in Python: Xbash was developed using Python and was then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
  • Targets IP addresses and domain names: Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting.
  • Targets Windows and Linux: When exploiting vulnerable Redis services, Xbash will also figure out whether the service is running on Windows or not. If so, it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.
  • Intranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet. We see this functionality in the samples but, interestingly, it has not yet been enabled.

We have discovered four different versions of Xbash so far.

Code and timestamp differences among these versions show that it’s still under active development.

The botnet began to operate as early as May 2018.

Thus far, we’ve observed 48 incoming transactions to the Bitcoin wallet addresses used by the malware, which may indicate 48 victims of its ransom behaviour.

Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.