A new, all-in-one, destructive malware strain has been discovered in the wild featuring multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting Linux and Windows systems.
Windows and Linux users need to beware as a new destructive malware is making it’s rounds int he wild. Dubbed XBash, the new, all-in-one, malware is believed to be tied to the Iron Group, a.k.a Rocke-the Chinese speaking APT threat actors group known for attacks involving Ransomware and Cryptocurrency mining.
Palo Alto Networks, the security vendors that uncovered the malware, has claimed that XBash is an all-in-one malware that features worm-like abilities similar to WannaCry or Petya/NotPetya. In addition to self-propagating capabilities, XBash also contains newly found capabilities that could allow the malware to spread quickly through an organisations network.
How does it work?
Developed in Python, XBash hunts for vulnerable or unprotected webservices and deletes entire databases such as MySQL, PostgresSQL, and MongoDB running on Linux servers, as part of it’s ransomware capabilities.
What can i do, do i pay?
*Important*: Paying Ransom will get you nothing!
This Malware has been designed to scan for services on a target IP, on both TCP and UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PstgreSQL.
Once the malware finds an open port, it uses a weak username and password dictionary attack to brute force itsel into the vulnerable service, and once in, deletes all the databases and then displays the ransom note.
A very interesting point to understand is that the malware itself does not contain any functionality that would allow the recovery of the deleted databases once a ransom amount has been paid by the victims.
To data, XBash has infected at least 48 victim entities, who have already paid the ransom, making about $6,000 to date for cyber criminals behind the threat. However, researchers see no evidence that the paid payments have resulted in the recovery of data for the victims.
Is there any way to protect my organisation/personal computers?
Here are some things that we would recommend:
- Change default lopgin credentials on your systems,
- use strong and unique passwords and don’t share these,
- keep your operating system and software up-to-date,
- avoid downloading and running untrusted files or clicking links,
- take backup of their data refularly, and
- prevent unauthorised connection using firewall.
If you’re MSP has not brought this to your attention and you would like to make sure you’re secure, please contact us ASAP! stay safe.
Other Articles You May Enjoy:
Share your thoughts in the Comments section: