Xbash

Xbash is a cross-platform threat that includes some of the features of a worm, a file-locker Trojan, a wiper, a backdoor Trojan, and a cryptocurrency miner. Xbash is compatible with Linux, Mac's OS X, and Windows, and can launch different payloads, depending on the environment. Admins should patch any patchable software vulnerabilities, avoid easily-breakable login credentials, and have dedicated anti-malware protection for blocking or removing Xbash before it can damage the contents of their servers.

The Trojan that's Everything to Everyone

An incredibly unusual case of a threat that's deploying different payloads on no less than three operating systems is starting to come under serious analysis by the cyber-security industry. Xbash, which is a product of the ransomware-experienced Iron Group of threat actors, is conducting attacks that may create Bitcoins, extort money, or cause other issues, depending on the environment that it's compromising. Although only Windows and Linux payloads are available for examination, malware experts are confirming that Xbash also infects Mac-based operating systems.

The Bitcoin-miner feature for Xbash launches in Windows-based OSes and hijacks the server's hardware using a corrupted script-downloaded module. Contrastingly, Xbash behaves differently in a Linux OS, and, instead, deletes almost all databases available (except for a minimum of ones that save login data). Xbash, then, creates a new database that displays its ransoming message, claiming that the threat actors have misappropriated a copy of the servers' contents and will restore it after payment, or leak it to the public.

Significantly, although malware experts see in-depth networking and C&C support for Xbash, this threat doesn't perform the supposed backup function. Unlike a file-locking Trojan or other ransomware, Xbash erases the data permanently, and paying the ransom can't help restore it. Additional features associated with networking, in a so-called 'LanScan' section particularly, also imply that Xbash may be intended for compromising more servers via any available IP addresses or domains, although LanScan is inert in the current build of the program.

Stopping Your Server from Being the Next to Getting Bashed

Not all victims are aware of the futility of paying the Xbash's ransom; the associated payment accounts are collecting thousands of dollars, already. Future development with Xbash also seems likely. Currently, the threat is available in at least four variants, all of which emphasize compromising the intranet systems within business networks. Since Xbash truly deletes the files that it claims that it's holding hostage, instead of encrypting them, backups are the only way to restore any lost data, post-infection.

The Xbash's campaign is using both software vulnerabilities and the brute-forcing of logins for infecting PCs, including taking advantage of specific, open ports. Admins should close vulnerable ports that aren't in use, install security patches regularly, and avoid default or low-sophistication passwords that could be part of Xbash's brute-force list. Worm-like self-cloning also is a possibility for systems with ActiveMQ, Redis or Hadoop libraries. Due to this threat's multiple code obfuscation defenses, malware analysts highly recommend that users update their anti-malware programs' databases for detecting and deleting Xbash as accurately as possible.

Occasional file-locker Trojans that also mine for Bitcoins, or cryptocurrency miners that include ransom-based behavior, aren't unfamiliar to malware researchers. However, even for the Black Hat software industry, Xbash is a multi-edged threat with an impressive breadth of features for making money off of unsecured servers.