There was a time when Linux was touted as an OS that was invulnerable to any malware attack. Well, at one point it changed and the threats designed to target it began to appear, one after another. Con artists have managed to uncover ways to attack it and now it’s basically another day, another Linux virus. The latest in this batch is XBash, malware that combines ransomware, cryptocurrency miner, botnet and worm features, and is capable of compromising both Windows and Linux servers. It was created by a well-known criminal group previously identified under the names of Iron and Rocke, and which has been tremendously active in the past two years.
Iron is connected to ransomware distribution campaigns and to a huge cryptomining operation. It’s gotten a title of “the champion of Monero miners” from Cisco Talos and the threat intelligence group has also given hints of it coming from China. Until recent times, Iron preferred not to spread their attention and focus on one task at hand, employing malware that was required to achieve their goals. In 2017 and early 2018 it used ransomware. Later in 2018 it started distributing a cryptocurrency miner. With XBash, however, Iron decided to abandon their previous methods and, as Palo Alto Network’s Unit 42 researchers point out, aim for several targets at once. There’re also certain signs of the group developing a worm component that spreads inside isolated corporate networks and doesn’t need any human guidance for that.
There’s one interesting detail that needs to be pointed out – Palo Alto Network says that botnet and ransomware features of the virus are activated when it infiltrates Linux, while the cryptocurrency miner is initiated when Windows servers are compromised.
At the core of XBash’s activity lies its botnet module which is used to scan the Internet for any web applications that have been left unpatched. Because of that, they can be taken advantage of by con artists. Unlike Gafgyt and Mirai (which attacked Linux recently) that scan for vulnerable devices by using randomly generated IP addresses, there’s also a scan for domain name. This makes it harder for defenders to spot the breach using honeypots, which are typically deployed with IP addresses only. If it’s Linux this malware enters, then it uses exploits to overtake Hadoop, Redis or ActiveMQ servers and deploy a copy of its botnet and ransomware module. In case of Windows, it can infiltrate it through vulnerable Redis server, with a special code routine being employed to execute a cryptocurrency miner module. There’s also a second scanner module that looks for services run by servers that have been left online with no password protection or with weak credentials – in other words, a port scan is performed by it.
This is done to try and break into web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync. It provides people behind this threat with more targets to attack and makes it possible for their botnet to grow faster than those employed by other viruses. And while XBash can only abuse Windows for direct monetary purposes, it still doesn’t mean that con artists responsible for it aren’t able to use Linux to enrich their bank accounts.
Once this malware is successful in breaking inside of it, the scan is performed to discover any locally-running database services. The ransomware feature is then executed and MySQL, MongoDB, and PostgreSQL databases get deleted as a result. The ransom note which says that 0.02 Bitcoin (approximately $125.90 USD) has to be paid to return things back to normal is then created and it also says that erased databases are stored on the designated server. According to researchers, this information is a lie, as the analysis of the threat’s source code revealed that it’s only designed to destroy data without backing it up. As of now, cybercriminals have been able to earn 0.964 Bitcoin (approximately $6,050.47 USD) from their activities, with at least 48 victims paying to them.
And troubles don’t end with this. As has been mentioned above, a worm component is being worked on which will allow this virus to infiltrate internal networks. According to Palo Alto Network, it’s already in the code, but isn’t active yet. It’s supposed to be executed on Windows servers and consists of a “LanScan” function that’s used to create a list of IP addresses for the network subnet that the infected host is located in. Worm’s ultimate goal lies in probing the same ports and servers listed before with a purpose of getting access to other computers from a company’s network.
This is done because systems belonging to corporate networks or intranets are situated on the internal network (and not directly connected to the Internet) and may have fewer security measures. They can also be configured to use weaker passwords than the ones with direct online access. The feature isn’t live at the moment, but it’s expected to change in XBash’s upcoming revisions.
All signs point to the threat being actively worked on and it’s expected that cryptocurrency miner component will appear in Linux, too. As Ryan Olson, vice president of threat intelligence at Palo Alto Network’s Unit 42 says, “taken as a whole, we’ve not [before] seen this combination of ransomware, coinmining, worm capabilities, and targeting both Linux and Windows systems.” He also adds that “organizations and defenders are better off focusing on prevention than specific threats” and “a threat-based approach against Xbash would require multiple threats against multiple vectors, which is not scalable and is inherently advantageous to the attackers.” That’s why steps should be taken towards more high-level approach to protection from viruses, as they continue to evolve, with no signs of stopping.