New XBash malware comes packed with ransomware, cryptomining, botnet and worm capabilities

• The malware targets both Windows and Linux users, and has already raked in over $6,000 in ransom.
• The malware was developed and is being used by the cybercriminal gang called Iron Group (aka Rocke).

A new multi-purpose malware called XBash has recently been discovered by security researchers. The malware comes packed with multiple capabilities, including ransomware, cryptomining, botnet and worm capabilities. XBash is currently targeting Windows and Linux users and has already raked in over $6,000 in ransom.

XBash’s worm-like abilities could allow it to propagate as rapidly as WannaCry and NotPetya did last year. XBash’s ransomware component has data-destructive abilities. According to Palo Alto researchers, who discovered the new malware family, there is no evidence to suggest that XBash can restore victims’ destroyed files after the ransom has been paid. In other words, like NotPetya, XBash is a data-destroying malware, posing as a ransomware.

XBash created by Iron Group

Researchers believe that XBash was developed by the cybercriminal gang Iron Group (aka Rocke). The group has been fairly active over the past few years, targeting victims with ransomware attacks. The Iron Group is currently attacking unpatched flaws and weak passwords to distribute XBash.

“Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux,” Palo Alto researchers wrote in a blog. “Instead, Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

According to Cisco Talos researchers, Iron Group has conducted massive ransomware and cryptomining campaigns in the past and is likely a China-based threat group, ZDNet reported.

Xbash capabilities

XBash’s ransomware and botnet components target Linux systems, while its cryptomining and worm capabilities target Windows systems. Palo Alto researchers discovered that around 48 victims have so far paid a combined ransom of $6,000 to the Iron Group.

Xbash was developed using Python and is capable of scanning for vulnerable servers within an enterprise intranet. The malware obtains IP addresses and domain names from its C2 servers, instead of generating random IP addresses by scanning destinations like other botnets such as Mirai or Gafgyt.

Researchers believe that since it is more likely to find vulnerable servers within an intranet, XBash’s ability could be devastating in the event that the malware is used in a WannaCry-like event.

“We have discovered four different versions of Xbash so far. Code and timestamp differences among these versions show that it’s still under active development. The botnet began to operate as early as May 2018,” Palo Alto researchers said.

The researchers believe that XBash’ behavior and characteristics indicate that cybercriminals are “are expanding their profit-making ways beyond mining cryptocurrency to hijacking or ransoming for cryptocurrency” and “ looking for more potential victims by gathering more vulnerabilities from everywhere, no matter whether the vulnerability is new or old”.