have discovered a new malware strain that infects Linux and Windows Servers. The way it works is as following:
Botnet module: This is the main way the malware infects new systems. It searches the web for unpatched security holes that it can exploit and use to get on the server. The module can take over Hadoop, Redis, and Active MQ servers.
On top of that it will also look for options to brute-force into services like web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.
Worm: This is a module that comes to play on successfully infected Windows servers. It sports a LanScan function that generates a list of IP addresses that are on the same network and then tests if the same ports are open. According to the researchers it is not active yet.
Ransomware: This module will deploy itself on Linux servers. It will look for databases, delete them and then leave a ransom note that informs it victims that they have to pay around 120€ in order for them to get their data back – a claim that according to the researchers is not true: “We see no evidence that the attackers are actually making good on their promise and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.”
Cryptominer: This module will deploy itself on Windows servers. As with most coin miners it will start mining for cryptocurrency.
As of now the malware seems not to be quite finished yet. The worm module needs to be activated and the Cyptominer and ransomware module could be deployed on the opposite system respectively.