Xbash

Malware updated 7 months ago (2024-11-29T14:04:15.263Z)
Download STIX
Preview STIX
XBash is a novel and complex malware that has been discovered by Unit 42 researchers, targeting Linux and Microsoft Windows servers. This malicious software is notable for its ransomware and coinmining capabilities, spreading through the exploitation of weak passwords and unpatched vulnerabilities. Its destructive nature is particularly harmful to Linux-based databases, which it can destroy as part of its ransomware functionality. Moreover, unlike some other forms of ransomware, XBash does not have any built-in functionality for data restoration after a ransom has been paid. The malware's operation is sophisticated, with three different Bitcoin wallet addresses hard-coded into the XBash samples observed thus far. It also has potential intranet functionality, which could make it even more devastating if enabled, similar to previous significant cyber threats like WannaCry and NotPetya. Interestingly, if XBash identifies a Windows server, it will exploit the Redis vulnerability to create a Windows startup item instead of a Linux cronjob. Furthermore, if a destination being scanned has both vulnerable Redis service and an HTTP service running, XBash uses information leaked by the Redis vulnerability to guess the HTTP web server’s installation location. Prevention measures against XBash have been implemented, with its C2 traffic and all three vulnerabilities it exploits covered by Threat Prevention (codes 18474, 18475, 18476, 39786, 39787, 54654, 54655). Additionally, WildFire has detected XBash for Linux as well as the dropped CoinMiner for Windows. However, given the active nature of the cybercrime group behind XBash, ongoing vigilance and robust cybersecurity measures are essential to prevent future attacks.
Description last updated: 2024-05-05T13:55:05.910Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Xbash Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more