Xbash is a flexible cyber-threat whose authors have implemented a long list of features and attack modules by utilizing the Python programming language. The versions of Xbash that have been detected so far possess the ability to wipe out databases, deploy cryptocurrency miners, and make the compromised computers part of a botnet. In addition to this, Xbash also features modules, which would allow it to spread like a Worm – a technique that might allow the attackers to expand their reach significantly. Security researchers also noticed an inactive module in Xbash, and have determined that its purpose is to infect other computers or servers that are part of the same network as the device that was compromised initially. These abilities and the Xbash’s compatibility with both Linux and Windows servers are something to worry about because Xbash might turn out to be one of 2018’s more prominent cyber-threats quickly.
HTTP, VNC, MySQL, Memcached, MySQL, MariaDB, FTP, Telnet, PostgreSQL, Redis, ElasticSearch, MongoDB, RDP, UPnP, SSDP, NTP, DNS, SNMP, LDAP, REXEC, Rlogin, Rsh, Rsync, Oracle database, CouchDB
It also scans for the following ports, which may correspond to the software and services listed above:
80, 8080, 8888, 8000, 8001, 8088, 5900, 5901, 5902, 5903, 3306, 11211, 3309, 3308, 3360, 3306, 3307, 9806, 1433, 21, 23, 2323, 5432, 6379, 2379, 9200, 27017, 3389, 1900, 123, 53, 161, 389, 512, 513, 514, 873, 1521, 5984
This Destructive Ransomware Will Wipe Databases Permanently
The ransomware module of Xbash only works on Linux servers. However, usually, ransomware uses encryption to make the recovery of the database possible in the future. The situation with Xbash is much different – the attackers will wipe the database thoroughly, therefore making its recovery impossible without a backup. The database management software that Xbash targets are MongoDB, PostgreSQL and MySQL. After the deletion of the database is complete, Xbash will create a new database with the name ‘PLEASE_READ_ME_XYZ,’ and then add the ‘WARNING’ table to it. The table contains the following ransom message:
’Send 0.02 BTC to this address and contact this email with your website or your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!If we not received your payment,we will leak your database
1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1
The cybercriminals behind Xbash use at least three different Bitcoin wallet address to collect ransom payments. When this post was written, the attackers have collected 48 payments, which is 0.964 Bitcoins (~$6400). Unfortunately, the victims who have paid the ransom fee will not get anything in return.
Other Modules and Worm-Like Behavior
Xbash can detect, disable, and delete other coin miners found on the compromised computer. Of course, after this task is complete, it also will download a new coin miner software automatically and apply the necessary changes to give it persistence. The group behind Xbash was linked to Monero coin miners previously, and it is likely that they are utilizing the same scheme.
One of the threatening pieces of code that security researchers noticed is stored in the class ‘LanScan.’ Currently, this code is not used, but it may give Xbash the ability to scan the local intranet to acquire the IP addresses of computers that share the same network as the infected computer. In short, this would allow the attackers to harvest all IP addresses used by the internal network, and then use Xbash to scan them for vulnerable software and services, therefore allowing them to repeat the infection process.
Protecting servers and computers from Xbash is a task that consists of multiple steps. The first and most important thing to care of is to make sure that all Web services and software are updated to their latest versions, which will ensure that any previously known vulnerabilities have been fixed. In addition to this, it also is recommended to utilize up-to-date and reputable anti-malware software that can help identify and terminate potentially threatening files and connections.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]
