Xbash Worm – Targets Linux And Windows
Xbash is a newly observed worm targeting exposed servers worldwide. Written in Python using code taken from the NotPetya malware, it is believed to have been created by the Iron Group advanced persistent threat (also known as Rocke) and is being used as both a cryptocurrency miner and ransomware.
Unlike most other worm malware, Xbash will scan for public domains – as well as IP addresses – using target lists downloaded from a command and control (C2) server. Once an open port has been discovered, it will attempt to gain access either through brute-force attacks, default credentials or by exploiting known vulnerabilities in the ActiveMQ, Hadoop or Redis services.
Once it has gained access to a target device, Xbash will check the operating system before further deployment. On Linux systems it will attempt to delete all MongoDB, MySQL and PostgreSQL databases (except for those that contain login information) before creating new databases containing the ransom note. On Windows machines it will connect to a dynamic URL to download a JavaScript or VBScript module, that will then initiate a PowerShell script to install a variant of the XMRig cryptocurrency miner. Both versions will connect to a C2 server before scanning for new targets.
Xbash hard-coded a bunch of domain names as its C2 servers. It also fetches a webpage hosted on Pastebin (listed in the IOCs) to update the C2 domain list. Some of these C2 domains are reused from previous Windows coinminers attributed to the Iron cybercrime group.
Xbash also has the ability to traverse the local network of any affected device, however, this functionality has not yet been enabled.
Indicators of Compromise
Samples for Linux
7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa zlibx
0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641 Xbash
dbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54 xapache
5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d libhttpd
e59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c XbashX
f808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc XbashY
dcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff rootv2.sh
de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d lowerv2.sh
09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885 rootv2.sh
a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af r88.sh
Samples for Windows
f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8 tt.txt
31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78 tg.jpg
725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct
d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png
ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 tmp.jpg
Downloading URLs
hxxp://3g2upl4pq6kufc4m[.]tk/zlibx
hxxp://e3sas6tzvehwgpak[.]tk/XbashY
hxxp://3g2upl4pq6kufc4m[.]tk/XbashY
hxxp://3g2upl4pq6kufc4m[.]tk/xapache
hxxp://3g2upl4pq6kufc4m[.]tk/libhttpd
hxxp://xmr.enjoytopic[.]tk/l/rootv2.sh
hxxp://xmr.enjoytopic[.]tk/l2/rootv2.sh
hxxp://xmr.enjoytopic[.]tk/l/r88.sh
hxxp://xmr.enjoytopic[.]tk/12/r88.sh
hxxp://e3sas6tzvehwgpak[.]tk/lowerv2.sh
hxxp://3g2upl4pq6kufc4m[.]tk/r88.sh
hxxp://e3sas6tzvehwgpak[.]tk/XbashY
hxxp://e3sas6tzvehwgpak[.]tk/XbashX
hxxp://png.realtimenews[.]tk/m.png
hxxp://daknobcq4zal6vbm[.]tk/tt.txt
hxxp://d3goboxon32grk2l[.]tk/reg9.sct
Domains for C2 Communication
ejectrift.censys[.]xyz
scan.censys[.]xyz
api.leakingprivacy[.]tk
news.realnewstime[.]xyz
scan.realnewstime[.]xyz
news.realtimenews[.]tk
scanaan[.]tk
scan.3g2upl4pq6kufc4m[.]tk
scan.vfk2k5s5tfjr27tz[.]tk
scan.blockbitcoin[.]tk
blockbitcoin[.]com
IPs for C2 Communication
142.44.215[.]177
144.217.61[.]147
URLs for C2 Domain Updating
hxxps://pastebin[.]com/raw/Xu74Mzif
hxxps://pastebin[.]com/raw/rBHjTZY6
Bitcoin Wallet Addresses in Ransom Messages
1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr
1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1
1ExbdpvKJ6M1t5KyiZbnzsdQ63SEsY6Bff
Email Addresses in Ransom Messages
backupsql@protonmail[.]com
backupsql@pm[.]me
backupdatabase@pm[.]me
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.