Skip to Main Content

XBash – the all-in-one botnet

Ransomware, cryptominer, botnet, and worm – there is a new malware that basically can do it all. The app called XBash provides everything a criminal inclined person could ever want in one neat little package. Best of all: It’s also a multisystem malware and should attack Windows and Linux servers alike.

Security researchers from Palo Alto Networks have discovered a new malware strain that infects Linux and Windows Servers. The way it works is as following:

Infection Modules

Botnet module: This is the main way the malware infects new systems. It searches the web for unpatched security holes that it can exploit and use to get on the server. The module can take over Hadoop, Redis, and Active MQ servers.

On top of that it will also look for options to brute-force into services like web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Worm: This is a module that comes to play on successfully infected Windows servers. It sports a LanScan function that generates a list of IP addresses that are on the same network and then tests if the same ports are open. According to the researchers it is not active yet.

Money making modules

Ransomware: This module will deploy itself on Linux servers. It will look for databases, delete them and then leave a ransom note that informs it victims that they have to pay around 120€ in order for them to get their data back – a claim that according to the researchers is not true: “We see no evidence that the attackers are actually making good on their promise and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.”

Source: Palo Alto Networks

Cryptominer: This module will deploy itself on Windows servers. As with most coin miners it will start mining for cryptocurrency.

Work in progress

As of now the malware seems not to be quite finished yet. The worm module needs to be activated and the Cyptominer and ransomware module could be deployed on the opposite system respectively.

PR & Social Media Manager @ Avira |Gamer. Geek. Tech addict.