XBash is a novel and complex malware that has been discovered by Unit 42 researchers, targeting Linux and Microsoft Windows servers. This malicious software is notable for its ransomware and coinmining capabilities, spreading through the exploitation of weak passwords and unpatched vulnerabilities. Its destructive nature is particularly harmful to Linux-based databases, which it can destroy as part of its ransomware functionality. Moreover, unlike some other forms of ransomware, XBash does not have any built-in functionality for data restoration after a ransom has been paid.
The malware's operation is sophisticated, with three different Bitcoin wallet addresses hard-coded into the XBash samples observed thus far. It also has potential intranet functionality, which could make it even more devastating if enabled, similar to previous significant cyber threats like WannaCry and NotPetya. Interestingly, if XBash identifies a Windows server, it will exploit the Redis vulnerability to create a Windows startup item instead of a Linux cronjob. Furthermore, if a destination being scanned has both vulnerable Redis service and an HTTP service running, XBash uses information leaked by the Redis vulnerability to guess the HTTP web server’s installation location.
Prevention measures against XBash have been implemented, with its C2 traffic and all three vulnerabilities it exploits covered by Threat Prevention (codes 18474, 18475, 18476, 39786, 39787, 54654, 54655). Additionally, WildFire has detected XBash for Linux as well as the dropped CoinMiner for Windows. However, given the active nature of the cybercrime group behind XBash, ongoing vigilance and robust cybersecurity measures are essential to prevent future attacks.
Description last updated: 2024-05-05T13:55:05.910Z