What may very well be considered a cybercriminal’s dream tool is now real and it is hunting Windows and Linux servers: a botnet with self-spreading capabilities that combines cryptomining and ransomware functions.

The name of the new beast is Xbash and it looks for systems protected by a weak password and machines that run with unpatched known vulnerabilities.

Security researchers from Palo Alto Networks’ Unit 42 analyzed Xbash and noticed that its ransomware and botnet talents are reserved for Linux systems, with clear instructions to delete databases; while the malware’s activity on Windows machines is limited to cryptocurrency mining and self-propagation routines that exploit known security bugs in Hadoop, Redis, and ActiveMQ services.
NotPetya déjà vu

Xbash’s ransomware ability is just for show, researchers say, because the malware does not have the ability to restore the database after its operators receive the ransom.

The malware discovers unprotected services and deletes MySQL, PostgreSQL and MongoDB databases.

Some victims have already fallen for the ransomware trick and paid the money. The wallet associated with the attacker has an income of 0.964 BTC, at the moment of publishing, from 48 transactions that suggest payment from just as many victims.

Other capabilities of the malware point to NotPetya as a source of inspiration, such as the ability to spread quickly inside an organization’s network to vulnerable servers. However, the scanning functionality has not been implemented, yet.
Brute-forcing its way in and dropping the ransom

Xbash is equipped to scan for multiple services on a target IP, on both TCP and UDP ports. The list includes HTTP, VNC, MySQL, Memcached, FTP, Telnet, ElasticSearch, RDP, UPnP, NTP, DNS, SNMP, Rlogin, LDAP, CouchDB, and Oracle database.

With some of them, when it finds an open port it runs a brute-force attack using weak username and passwords combinations from a built-in dictionary.

Once logged in, the malware deletes the databases on the server that do not contain user login information and creates a new one where it saves the ransom note.

Xbash operators demand 0.02BTC (about $125) to be sent to their wallet, promising to restore the data in return.

Xbash is developed in Python and then converted to Portable Executable (PE) format using PyInstaller. This tactic has multiple advantages that help with evading detection, assuring installation and execution on a variety of Linux instances, and the possibility to create binaries for Windows, Linux, and macOS.

Although researchers found samples only for Linux, the malware is able to determine the operating system the vulnerable service is running on, and deliver the appropriate payload.

On Windows, it will send a JavaScript or VBScript downloader to fetch and execute the coinminer. On Linux, it runs the ransomware routine.

Xbash represents a new stage in malware evolution that merges a combination of functions and tactics designed to ensure its success. It is the work of an active threat actor Unit42 calls Iron Group, known for other ransomware attacks.