IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New Xbash malware is a ransomware and cryptocurrency mining double-threat

Xbash deletes databases on Linux and mines cryptocurrency coins on Windows

Red padlock representing a security hack

A new strain of composite malware has been discovered that is capable of delivering a ransomware payload and cryptocurrency mining exploits, against both Linux and Microsoft Windows servers.

Dubbed Xbash by security experts at Palo Alto Networks' Unit 42, the malware is believed to be tied to Chinese threat actors Iron Group. The collective has previously been connected to a number of ransomware attacks, sometimes under the name Roche'.

According to Unit 42, the malware also has self-propagating capabilities and worm-like characteristics, similar to the WannaCry strain that wreaked havoc on NHS systems in the summer of 2017. Essentially, the strain is being treated as an amalgamation of different malware types, capable of throwing a number of threats at a target at once.

The malware is capable of adapting the style of attack it uses depending on whether Linux or Windows is being targeted. On the former, Xbash will focus on destroying data and launching ransomware, whereas on the latter the malware will execute a cryptocurrency coinminer.

Xbash, which was built using Python, infects systems by targeting weak passwords and specific vulnerabilities, then at least on Linux deletes databases including MySQL, PostgreSQL and MongoDB. It displays a ransom note, although the researchers say the malware does not seem to contain functionality to recover deleted databases.

"We have discovered four different versions of Xbash so far," Unit 42 wrote. "Code and timestamp differences among these versions show that it's still under active development."

The researchers have observed 48 incoming transactions to the Bitcoin wallet used by the malware, amounting to 0.964 bitcoins. At the time of writing, that equates to around 4,700.

The malware is notable for combining botnet, ransomware and coinmining capabilities as well as its ability to discern operating system.

More technical details can be found on Unit 42's blog, which advises organisations to protect themselves by using strong passwords, keeping on top of security updates and implementing endpoint security on Microsoft Windows and Linux systems.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022