Posted on September 20, 2018 at 8:01 AM
Researchers from unit 42 of Palo Alto Networks have concluded that Xbash malware which up till now has been attacking Windows and Linux is controlled by Iron Group. This group is a hacker infamously known for cybercrimes having to do with cryptominers and ransomware.
Trojans Also Hijacked by Iron Group
The brains behind the APT threat in Iron Group equally operates crypto and has been hijacking Trojans from times past now. But of late, they have been making use of Xbash which is a malware that self-propagate itself and which has many features. That aside, Xbash can act as a botnet, ransomware, worm, crypto-miner, and disk wiper all at the same time.
In a blog post by researchers Claud Xiao, Xingyu Jin, and Cong Zheng, they made it clear that there was nothing unusual about a malware that is multi-functional. However, they admitted that Xbash was uniquely clever. In their summation, the malware can invade an organization’s network all at once.
Continuing in their explanation they said that Xbash uses its capacity to function as botnet and ransomware to target Linux servers. And for Windows, the unit 42 researchers said Xbash attacks using its capacity to self-propagate and as a crypto-miner.
What the Malware Does
Essentially, once Xbash finds its way into a network, it deletes Linus databases on its server. And the deletion is such that it cannot be recovered regardless of if they pay the ransom or not. This is so because the malware can only delete; it cannot decrypt data.
Xbash begins its malicious action by discovering vulnerabilities that are unpatched in a system. If a device’s password is weak, it can easily be scanned by some ports and protocols. Such devices are susceptible to Xbash attacks.
However, for random IP addresses, Xbash does not bother itself searching for weaknesses. It mainly targets public websites and looks for IP addresses supplied by its server. The cleverness of Xbash is so serious that it can look for servers that are vulnerable in an enterprise’s intranet.
Generally, the extent of damage by Xbash depends on the functionality of the network and/or platform of attack. And because of its very damaging capacity, researchers have alerted everyone to the huge damage it can do to a Linux server. It deletes all previous database and replaces all with an annoying “Please_read_me_ZYX.”
Once the new database is opened, a note would be found in it demanding a ransom of 0.02 Bitcoin before the deleted database can be recovered. It even comes with a threat that if the ransom is not quickly paid, the information would soon be available on the internet for all to see. But in the researchers’ opinion, they said:
We see no evidence that the attackers are actually making good on their promise and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.