Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.
Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).
Xbash spreads by attacking weak passwords and unpatched vulnerabilities.
Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find no functionality within Xbash that would enable restoration after the ransom is paid. This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.
Organizations can protect themselves against Xbash by:
- Using strong, non-default passwords
- Keeping up-to-date on security updates
- Implementing endpoint security on Microsoft Windows and Linux systems
- Preventing access to unknown hosts on the internet (to prevent access to command and control servers)
- Implementing and maintaining rigorous and effective backup and restoration processes and procedures.
Palo Alto Networks customers are protected against Xbash as outlined at the end of this post.
Below are some more specifics on Xbash’s capabilities:
- It combines botnet, coinmining, ransomware and self-propagation
- It targets Linux-based systems for its ransomware and botnet capabilities
- It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities
- The ransomware component targets and deletes Linux-based databases
- To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US $6,000 total (at the time of this writing)
- However, as see no evidence that the paid ransoms have resulted in recovery for the victims
- In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.
- Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.
Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers. After further investigation we realized it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year. We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.
Previously the Iron group developed and spread cryptocurrency miners or cryptocurrency transaction hijacking trojans mainly intended for Microsoft Windows, with only a few for Linux. Instead, Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.
Other new technical characteristics in Xbash that are worth noting:
- Developed in Python: Xbash was developed using Python and was then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
- Targets IP addresses and Domain Names: Modern Linux malware such as Mirai or Gafgyt usually generate random IP addresses as scanning destinations. By contrast, Xbash fetches from its C2 servers both IP addresses and domain names for service probing and exploiting.
- Intranet Scanning Functionality: The Xbash authors have developed the new capability of scanning for vulnerable servers within enterprise intranet. We see this functionality in the samples but, interestingly, it has not yet been enabled. (More on this below.)
We have discovered four different versions of Xbash so far. Code and timestamp differences among these versions show that it’s still under active development. The botnet began to operate as early as May 2018. Thus far, we’ve observed 48 incoming transactions to the Bitcoin wallet addresses used by the malware, which may indicate 48 victims of its ransom behavior.
Below, we will introduce more technical details of these behaviors, and discuss how Palo Alto Networks products prevent the threat.
From Python Code to Native Executable
In a previous blog from 2016, Unit 42 revealed a Windows malware being developed by Python and being converted to PE executable by PyInstaller. All four versions of Xbash that we discovered also used this technique. Based on this, we believe the malware authors realize the following benefits:
- Faster Development: Developing in Python can be easier and faster than in C, C++ or Go, enabling the malware’s faster evolution
- Easy, Assured Installation: PyInstaller creates self-contained native executables which include all necessary dependencies including Python runtime, libraries,user and third-party libraries. Given the diversity of Linux installations and environments, the attackers cannot be sure that Python-based malware would install and run successfully. By packaging in a self-contained native executable like this, attackers ensure that the malware will successfully install on the target systems.
- Anti-Detection Capabilities: PyInstaller’s code compilation, code compression/conversion, and optional code encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis. At the time of this writing, we observed a 1/57 detection rate for Xbash in VirusTotal as shown in Figure 1.
- Cross-Platform Malware: PyInstaller supports creating binaries for Windows, Apple macOS and Linux from the same Python code: this enables the malware to be truly cross-platform (though at the time of this writing we have not found any Windows or macOS versions of Xbash).
Figure 1 Detection Rate of Xbash as shown on VirusTotal
Through manual reverse engineering, we were able to extract the main malicious Python modules from the Xbash executables and decompile them successfully. In the later sections of this analysis, we show the Python source code.
Xbash hard-coded a bunch of domain names as its C2 servers. It also fetches a webpage hosted on Pastebin (listed in the IOCs) to update the C2 domain list. Some of these C2 domains are reused from previous Windows coinminers attributed to the Iron cybercrime group.
All C2 communications were based on HTTP protocol. We found three kinds of C2 traffic:
- One for fetching a list of IP addresses or domains for scanning
- One for fetching a list of weak passwords, in addition of using hard-coded passwords
- One for reporting scan results
Three types of URIs were used to fetch scanning targets:
- /domain/phpmyadmin or /domain/all: to get a list of domains for scanning of vulnerable or unprotected web services such as phpMyAdmin.
- /port/tcp8080, /port/udp1900, etc.: to get a list of IP addresses for scanning of their specific TCP or UDP port
- /cidir, to get a list of CIDR of IP addresses for popular ports/services scanning.
Through a still alive C2 domain, we were able to get 1,000 domains, 1,000 IP addresses, or a /22 CIDR per request, respectively as shown in Figure 2. We found that different requests will return different results, showing that the C2 servers were dynamic dispatching tasks to different bots. We randomly chose some domains and didn’t find any specific region or industry targeted. And, the targeted domains are not in the Alexa top one million domains list.
Figure 2 Xbash fetched domains from C2 server for further scanning
Popular Linux botnets such as Mirai and Gafgyt usually only scan IP addresses. Xbash represents a next-stage evolution of Linux botnets by extending the targets to public websites by targeting domains as well as IP addresses. This also makes deploying a honeypot to observe Xbash challenging since honeypots are usually deployed with IP addresses only. While it may not be an intentional step, the inclusion of domain targeting has an anti-analysis benefit for the attackers.
Besides of fetching a list of scanning targets, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute forcing.
After Xbash has scanned a target and successfully found specific opening ports, weak credentials or exploitable, unpatched vulnerability, it will report the result to a random C2 server via HTTP POST to URI “/c”.
Service Probing and Brute Forcing
If the scanning target is an IP address, Xbash will try to scan many TCP or UDP ports. Here are part of services they’re probing and the ports used:
- HTTP: 80, 8080, 8888, 8000, 8001, 8088
- VNC: 5900, 5901, 5902, 5903
- MySQL: 3306
- Memcached: 11211
- MySQL/MariaDB: 3309, 3308,3360 3306, 3307, 9806, 1433
- FTP: 21
- Telnet: 23, 2323
- PostgreSQL: 5432
- Redis: 6379, 2379
- ElasticSearch: 9200
- MongoDB: 27017
- RDP: 3389
- UPnP/SSDP: 1900
- NTP: 123
- DNS: 53
- SNMP: 161
- LDAP: 389
- Rexec: 512
- Rlogin: 513
- Rsh: 514
- Rsync: 873
- Oracle database: 1521
- CouchDB: 5984
For some services, such as VNC, Rsync, MySQL, MariaDB, Memcached, PostgreSQL, MongoDB, and phpMyAdmin, if a related port is open, it will use a built-in weak username/password dictionary and try to login into the service as shown in Figure 3. The dictionary also contains common or default passwords for services like Telnet, FTP, and Redis.
Figure 3 Xbash tries to brute force services such as Rsync
Delete Databases and Ransom
If Xbash successfully logs in to a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all existing databases in the server (except for some databases that stored user login information), create a new database named “PLEASE_READ_ME_XYZ”, and insert a ransom message into table “WARNING” of the new database, as shown in Figure 4 and Figure 5.
Send 0.02 BTC to this address and contact this email with your website or your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!If we not received your payment,we will leak your database
Figure 4 Xbash create ransom message into MySQL database via phpMyAdmin
Figure 5 New database, table and ransome message created by Xbash
If Xbash logged into a phpMyAdmin service, it will do exactly the same operations as described above to those databases too, via sending HTTP requests to phpMyAdmin. This is because the phpMyAdmin service is usually managing some MySQL databases.
It’s important to note that, the database name, table name, table schema, and the ransom message used by Xbash are almost identical with some incidents within multiple waves of ransom attacks to MySQL, MongoDB, ElasticSearch, Hadoop, CouchDB, Cassandra, Redis, AWS S3, etc. at 2016 and 2017, which have compromised over 56,685 servers in the globe by report. The only changes in Xbash are:
- Database name changed from PLEASE_READ_ME to PLEASE_READ_ME_XYZ
- Bitcoins they’re asking for reduced from 0.2 BTC or 0.15 BTC to0.02 BTC
- Bitcoin wallet address and email address changed
- This time a blackmail phrase was added into the message: “If we not received your payment,we will leak your database”
Thus far, we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing). Figure 5 shows one of the wallets. Also, note that the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.
Figure 6 Incoming transactions to one of bitcoin wallets
However, as is so often the case, we see no evidence that the attackers are actually making good on their “promise” and helping the victims restore their deleted databases. In fact, contrary to the ransom note, we found no evidence of code in Xbash that backs up the deleted databases at all.
Exploit for Propagation
When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation. Three known vulnerabilities are targeted:
- Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
- Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
- ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.
Figure 7 Xbash exploiting Redis vulnerability
When the exploit succeeds, Xbash will either directly execute a shell command to download and to run malicious Shell or Python scripts, or create new cron job to do the same, again as shown in Figure 6. The malicious scripts were downloaded from the same C2 servers as Xbash used. In either instance, their main functions are to kill other popular Coinminers, download Coinminers developed by the Iron cybercrime group, and download Xbash itself onto the target system for further propagation.
The net of this is that Xbash targets and uses vulnerable Hadoop, Redis or ActiveMQ systems both to run the attackers’ coinminer AND propagate Xbash within the environment.
Infecting Windows Servers
Another notable feature of Xbash is the way it uses Redis and an HTTP service to determine if the vulnerable Redis service is installed on Linux or Microsoft Windows. If the destination being scanned has both vulnerable Redis service and a HTTP service running, Xbash will try to use information leaked by the Redis vulnerability to guess HTTP web server’s installation location. Xbash then uses the location to guess which operating system (Linux or Windows) the destination is running as shown in Figure 7.
Figure 8 Web server paths Xbash used to determine operating system
Through our investigation we found that these malicious PE files were coinminer or ransomware developed by the Iron cybercrime group as shown in Figure 9.
Figure 10 AutoFocus associated the malicious PE file with Iron cybercrime group
Targeting Enterprise Intranet
In all versions of Xbash we found, there is a Python class named “LanScan”. Its functions are to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs as shown in figure 10. It appears that during this code’s evolution, the author was adding more ports to this piece of it. However, the code was inert and underutilized: it is still not connected with the main part of the code. We believe the author may enable this functionality in future versions.
Figure 11 Generate list of IP addresses in victim’s subnet and perform port scanning
In an enterprise network (including office network and datacenter or private cloud), there are usually more servers providing services internally than publicly. And these services are also more likely unprotected or configured with weak passwords. The chance of finding vulnerable services within an Intranet is much higher than over the public Internet. We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled.
Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group. Based on its characteristics and behaviors, we observe the following:
- Attackers are expanding their profit-making ways beyond mining cryptocurrency to hijacking or ransoming for cryptocurrency
- Attackers are expanding territory by scanning domain names and by attacking enterprise Intranet
- Attackers are looking for more potential victims by gathering more vulnerabilities from everywhere, no matter whether the vulnerability is new or old, and no matter whether a CVE number was assigned or not
- Different types of script files are important actors between exploiting and malware execution
Palo Alto Networks customers are protected from Xbash in the following ways:
- WildFire detects Xbash for Linux as well as the dropped CoinMiner for Windows
- ELF and PE format malware’s signatures have been released via Antivirus
- All involved malicious domains have been covered by PAN-DB URL Filtering
- All three vulnerabilities exploit by Xbash have been covered by Threat Prevention (39786, 39787, 54654, 54655)
- Xbash C2 traffic have been covered by Threat Prevention too (18474, 18475, 18476)
- An AutoFocus tag has been created for tracking this attack.
Indicators of Compromise
Samples for Linux
Samples for Windows
Domains for C2 Communication
IPs for C2 Communication
URLs for C2 Domain Updating
Bitcoin Wallet Addresses in Ransom Messages
Email Addresses in Ransom Messages