A threat actor has been targeting Windows and Linux servers with a self-propagating malware mash-up that's comprised of botnet, ransomware, disk wiper, cryptomining and worm elements all in one.

Researchers from Palo Alto Networks' Unit 42 division have tied the malware, dubbed Xbash, to the APT actor known as Iron Group. The same group has previously been linked to previous campaigns utilizing ransomware, cryptominers and crypto transaction hijacking trojans, researchers Claud Xiao, Cong Zheng and Xingyu Jin noted in a company blog post published today.

Xbash initially spreads by attacking weak passwords and unpatched vulnerabilities found while scanning ports for services and protocols such as HTTP, VNC, MySQL, Memcached, MariaDB, FTP, Telnet, PostfreSQL, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogic, Rsh, Rsync, Oracle database, CouchDB and phpMyAdmin. But instead of searching for these weaknesses among randomly generated IP addresses -- as is more typical of Linux malwares -- it instead fetches specifically targeted IP addresses from its command-and-control server, Unit 42 reports. Also unusual for a Linux botnet: its targets also include domains for public websites.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.