Malware Analysis Reading Time: 4 minutes

Is Xbash the Swiss Army Knife of Windows and Linux malware?

Recently discovered Xbash malware fits an emerging trend. It’s not just one type of malware, it’s at least four different types. It’s a worm! It’s ransomware! It’s a botnet! It’s a cryptominer! It slices and it dices, and it can be yours for four easy payments of two Bitcoins! Well, I haven’t seen infomercial-style ads on the Dark Web yet, nor have I seen Xbash for sale there. But you can catch my drift, eh?

It also targets both Windows and Linux. It’s not that there’s a Windows version and a Linux version… the same malware with the same payload will try different exploits and malicious activities based on whether the infected target is determined to be Windows or Linux. I use a Linux distro on my home office PC for my everyday work and leisure, but I’m an outlier. Rarely do consumers use Linux directly except perhaps for the Linux kernel on their Android devices. So targeting x86 versions of Linux suggests that the cyber attackers intend to focus on servers, including those which don’t run Windows Server. Attack Windows Server machines running applications like Active Directory and IIS, and attack Linux machines running applications like Apache, and you’ve got the large majority of internet servers around the world.

Originally developed in Python and ported into Linux ELF executables, Xbash tries to infect a system by exploiting weak passwords and well known vulnerabilities such as bugs in Redis services running on either major platform. Xbash appears to be malware that’s in constant development, so the cyber attacker’s command and control servers may transmit malware that’s designed to exploit new and different vulnerabilities in the future.

Researchers believe that the Iron Group, otherwise known as Rocke, is behind Xbash. Iron Group was originally discovered in 2017. The researchers wrote:

“Previously the Iron Group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux. Instead, Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

Xbash is definitely an Advanced Persistent Threat. The cyber attackers scan IP addresses on both the internet and on intranets and they appear to be choosing their targets based on certain criteria. Unlike Iron’s previous types of cyber attacks, it seems that making money from ransomware and cryptomining is just one of many of their motives, and their other motives seem kind of mysterious. The cyber attackers really haven’t been making much money from Xbash so far, and it seems deliberate. The ransomware profits seem to only be about $6,000 USD worth of Bitcoin so far. Researcher Jen Miller-Osborn said:

“We agree that it seems odd. Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”

Money is certainly a factor, but perhaps the lust for power is an even greater one. Look at what they can leverage with their command and control servers and their ever growing botnet!

Here’s what Xbash does if it has determined that it has infected a Windows machine. Xbash goes through Redis and will deploy Windows attacks if a web server’s location in a file system is typical of Windows, such as in the Program Files folder. A Windows startup item will be created, and a malicious HTML or a Scriptlet file is downloaded from the command and control servers. From there, JavaScript or VBScript code will be used to execute PowerShell to run a malicious PE executable or PE DLL file. Once thoroughly inside a Windows target, further malicious code and instructions from the command and control servers make Xbash show its not-so-charming cryptomining and worm aspects.

If by exploiting Redis, Xbash finds a web server in a location typical of a Linux operating system, such as in the usr/local/ folder, Tux mode commences! (Only I seem to call it Tux mode. I apologize to penguins everywhere.) A Linux cronjob is created, malicious JavaScript or VBScript payloads are downloaded from the command and control servers and are executed. Xbash will look for databases to delete, such as with MongoDB or MySQL. On A Linux system, Xbash will go on to show its equally not-so-charming ransomware and botnet aspects. Each and every side is utterly non-photogenic, darling.

So Xbash doesn’t seem to be a golddigger, but it will inevitably try to exploit many new vulnerabilities in the future and try a variety of different activities so that the Iron Group can have internet servers around the world under their thumb. Whatever forms Xbash takes in the future, making sure that you use much more secure passwords in your OSes, web servers, and web databases, and installing the latest patches will certainly make it more difficult for your network to become the latest Xbash victim.

Antivirus for Linux