New Xbash malware is a ransomware and cryptocurrency mining double-threat

Xbash deletes databases on Linux and mines cryptocurrency coins on Windows

hacking and ransomware

A new strain of composite malware has been discovered that is capable of delivering a ransomware payload and cryptocurrency mining exploits, against both Linux and Microsoft Windows servers.

Dubbed Xbash by security experts at Palo Alto Networks' Unit 42, the malware is believed to be tied to Chinese threat actors Iron Group. The collective has previously been connected to a number of ransomware attacks, sometimes under the name Roche'.

Advertisement - Article continues below

According to Unit 42, the malware also has self-propagating capabilities and worm-like characteristics, similar to the WannaCry strain that wreaked havoc on NHS systems in the summer of 2017. Essentially, the strain is being treated as an amalgamation of different malware types, capable of throwing a number of threats at a target at once.

The malware is capable of adapting the style of attack it uses depending on whether Linux or Windows is being targeted. On the former, Xbash will focus on destroying data and launching ransomware, whereas on the latter the malware will execute a cryptocurrency coinminer.

Xbash, which was built using Python, infects systems by targeting weak passwords and specific vulnerabilities, then at least on Linux deletes databases including MySQL, PostgreSQL and MongoDB. It displays a ransom note, although the researchers say the malware does not seem to contain functionality to recover deleted databases.

Advertisement
Advertisement - Article continues below

"We have discovered four different versions of Xbash so far," Unit 42 wrote. "Code and timestamp differences among these versions show that it's still under active development."

Advertisement - Article continues below

The researchers have observed 48 incoming transactions to the Bitcoin wallet used by the malware, amounting to 0.964 bitcoins. At the time of writing, that equates to around 4,700.

The malware is notable for combining botnet, ransomware and coinmining capabilities as well as its ability to discern operating system.

More technical details can be found on Unit 42's blog, which advises organisations to protect themselves by using strong passwords, keeping on top of security updates and implementing endpoint security on Microsoft Windows and Linux systems.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Over two dozen Android apps found stealing user data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Best antivirus for Windows 10
antivirus

Best antivirus for Windows 10

30 Jun 2020
Searching for a new job? That LinkedIn job offer may be fake
hacking

Searching for a new job? That LinkedIn job offer may be fake

19 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020