A threat actor has been targeting Windows and Linux servers with a self-propagating malware mash-up that’s comprised of botnet, ransomware, disk wiper, cryptomining and worm elements all in one.
Researchers from Palo Alto Networks’ Unit 42 division have tied the malware, dubbed Xbash, to the APT actor known as Iron Group. The same group has previously been linked to previous campaigns utilizing ransomware, cryptominers and crypto transaction hijacking trojans, researchers Claud Xiao, Cong Zheng and Xingyu Jin noted in a company blog post published today.
Xbash initially spreads by attacking weak passwords and unpatched vulnerabilities found while scanning ports for services and protocols such as HTTP, VNC, MySQL, Memcached, MariaDB, FTP, Telnet, PostfreSQL, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogic, Rsh, Rsync, Oracle database, CouchDB and phpMyAdmin. But instead of searching for these weaknesses among randomly generated IP addresses — as is more typical of Linux malwares — it instead fetches specifically targeted IP addresses from its command-and-control server, Unit 42 reports. Also unusual for a Linux botnet: its targets also include domains for public websites.
Xbash can even scan for vulnerable servers within an enterprise’s intranet, although the researchers have not observed any samples where such functionality has been enabled.
According to the post, Xbash’s behavior is dependent upon the infected platform and the services it’s running. The researchers warn that if Xbash successfully logs into a Linux server, “it will delete almost all existing databases… create a new database named ‘PLEASE_READ_ME_XYZ’ and leave a ransom message into table ‘WARNING’ of the new database…”
This message instructs readers to deposit 0.02 bitcoin to the attacker’s address in order to recover their lost database — or else the contents will be publicly leaked. However, the researchers note, “we see no evidence that the attackers are actually making good on their promise and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.”
“Similar to NotPetya, Xbash is data destructive malware posing as ransomware,” the researchers continue, referring to the 2017 NotPetya faux ransomware attack that Russian intelligence services allegedly launched in order to damage targeted Ukrainian systems.
But does that mean there’s an intent to sabotage, or are the attackers just trying to make easy money?
“Whatever their motivation, they are flat out lying to the victims in the ransom note and victims who pay will have lost not only their data but also their money,” said Matthew Ballard, a spokesperson for Palo Alto Networks.
Indeed, at least 48 victims have paid the attackers so far, earning Iron Group a total of 0.964 bitcoins, or roughly $6,000 total (as of Sept. 17).
But that’s not the only way the Iron Group attackers can make money via Xbash. Palo Alto also reports that Xbash can exploit vulnerabilities in Redis, Hadoop and ActiveMQ to download malicious scripts that can execute coin miners, as well as to self-propagate.
While in the process of exploiting Redis, if the malware determines the service is running on a Windows system, it will create a Windows startup item that begins a download chain that also results in the execution of a cryptominer, or sometimes ransomware.
Unit 42 reports finding four separate variants of Xbash, all written in Python and converted into self-contained Linux ELF executables by abusing the PyInstaller tool. The botnet began operating as early as May 2018, and the malware remains under active development, the researchers report.