XBash: The Hacker-Holy Trinity | Pray XBash Doesn't Find Your Business

21/09/2018 11:15:25
Well known ransomware traditionally employs a host of unique methods to infiltrate your system, but with a very clear and singular agenda – to hijack your network, destroy your data or exhort ransom for files you will never see again. While self-propagating variants of the WannaCry, NotPetya and BadRabbit ransomware families continue to wreak havoc, XBash has arrived to show everyone how it’s done, with its deadly holy trinity of ransomware, data system destruction and crypto currency mining.

XBash utilizes weak passwords and several unpatched vulnerabilities to gain access to Linux and Windows servers, including the vulnerability in Hadoop YARN ResourceManager that allows command execution without verifying identify, the vulnerability in ActiveMQ that allows writing in arbitrary files and the vulnerability in Redis that allows writing in arbitrary files and remote command execution.

XBash’s unique qualities specifically target Windows and Linux systems, developing in Python and then collecting IP addresses and domain names from its C2 servers for exploitation in addition to employing intranet scanning functions. These features might be why XBash and evolving XBash variants (4 discovered thus far) have been operating under the radar since May 2018. With speedy development, easy installation, anti-detection features and cross-platform capabilities, catching XBash in the wild has even the most sophisticated of network security systems and technicians running for cover.

Just mentioning WannaCry sets off IT alarm bells for those familiar with how WannaCry leverages system-level vulnerabilities, covering basically all OS versions of Windows PCs and servers. Although XBash has many of the characteristics of devastating ransomware like WannaCry, it more closely resembles NotPetya in that it causes permanent damage to data which cannot be restored to the victim even after the ransom has been paid. In addition it primarily targets Web servers, database servers and unauthorized servers with weak passwords and unpatched vulnerabilities.

While it’s general policy in the IT industry to not pay ransom, XBash is hitting below the belt by asking for a ransomware payment for files it has already corrupted and destroyed while simultaneously utilizing system capabilities for crypto coin mining. Could this be a new technique to cause misdirection while the real damage is being perpetrated behind the scenes – in other words, has “malware” gotten more “malicious?”

Sample Analysis
XBash is developed in Python and then converted to Portable Executable (PE) file to evade detection, assuring installation and execute commands cross platforms.

XBash gains public IP address through http://ejectrift.censys.xyz/cidir and then perform scans on the Web port, as shown below:

The ports are as follows:
HTTP: 8088,8000,8080,80
Figure 5900,59015902,99009901,9902
CPU: 3389 Cores
Oracle: 1521
Rsync: 873
Mssql: 1433
Mysql: 306
Postgresql: 5432
Redis: 6379,7379
Elasticsearch:9 200
Memcached:1 1211
Mongodb: 27017

XBash utilizes weak passwords and a built-in dictionary in its attacks against services on Rsync, VNC, phpmyadmin, MySQL, postgresql, mongodb and redis.

If XBash successfully logs into the web service on MySQL, MongoDB or PostgreSQL, it may delete the database on the server, create a new one and write messages to demand ransom.

The following vulnerabilities may be exploited to spread the ransomware, as shown below:

Hadoop YARN ResourceManager vulnerability allows execution without verifying the identify

ActiveMQ vulnerability allows writing in arbitrary file

Redis vulnerability allows writing in arbitrary file and remote execution

It writes in a corresponding Crontab task to start up automatically according to the schedule and downloaded mining script. After removing all other families of mining programs on Linux based systems, it downloads and executes its own mining program.

1. Change computer password to a stronger one and avoid using the same password for different computers to isolate any compromised computers from the system.
2. Keep the malware signature database on your Sangfor NGAF up to data to enable XBash traffic detection.
3. Enable WAF on your Sangfor NGAF to prevent XBash attacks against websites.
4. Turn on brute-force attack prevention in Sangfor NGAF.
5. Perform a security scan and virus removal on the whole network. We recommend Sangfor NGAF and EDR tool to detect, prevent and protect your internal network. And for individuals, download and install the following tool: http://go.sangfor.com/edr-tool-20180921

Our Social Networks

Global Service Center: