Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. Hadoop’s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. The C&C scans for specific destinations’ known vulnerabilities in Hadoop, Redis and ActiveMQ ( CVE-2016-3088) for self-propagation. Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. It also has obfuscation capabilities that tries to bypass static analysis to avoid detection. Once it confirms that it's running on a Windows server, a hijacked Javascript or VBScript payload will download and execute a coinminer. Developed using Python, attackers used legitimate tool PyInstaller to distribute the Linux ELF executables, with Redis services enabling Xbash to determine if the system is running on Windows or not. Xbash specifically targets Linux servers with ransomware and botnet installations, and Windows servers for coinminer installs and propagation. Reverse analysis found an estimated $6,000 worth of Bitcoin wired from approximately 48 victims to the C&C IP address, though evidence of data recovery has yet to be seen. Xbash evades detection, scans targets from IP addresses and domain names, brute forcing, and combines ransomware, cryptocurrency coinmining, worm, and scanner capabilities. Researchers discovered a new malware family, named Xbash, targeting servers of various platforms, with four different versions seen in the wild actively seeking unprotected services, exploiting vulnerabilities, and deleting databases in Linux and Microsoft systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |