New XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo

In order to create a dangerous cocktail of havoc on Linux and Windows servers, new malware was discovered combining the functions of four types of malware: data converter, coin changer, robot network, and worm.

This new malware named XBash with a name is the work of a well-known criminal group, previously identified by Iron's codename. [1, 2] Rocky and Rocky have been very active in the past two years.

Irons are linked to campaigns for dissemination of Ransomware, but they are also associated with massive cryptographic operations. Cisco Talos called this group "Monero Miners Chion" and suggested that the group could be based in China.

In the past, the Iron group focused on one operation at a time, using specific malware for specific tasks. He deployed transcripts in 2017 and early 2018 and moved to the generation of crypto intruder miners (coinminers) in 2018.

In addition, if malware is present, critical infrastructure needs to work

However, researchers at Palo Alto Networks said that this group introduced a new XBash malware, a combination of all previous tactics that incorporated a botnet-like structure with a coin mechanism and a runsumware function say.

In addition, it seems that this group also works on worm components that automatically migrate to quarantined business networks.

However, not all modules are active at the same time. Palo Alto Networks says that the botnet and Ransomware features are only effective if the malware is infected with a Linux system and that the coin miner will work only on Windows servers.

The mechanism of XBash is to use the botnet module as the basis for all harmful activities. This module is essentially an Internet scanner that searches the Internet for uncorrected web applications that are vulnerable to known abuse or use default credentials.

The XBash scanner module uses a Hadoop, Redis, or ActiveMQ server to deploy copies of botnets and run-timeware modules (for Linux systems).

Also, it may infect a Windows system, but only if the entry point is a vulnerable Redis server. In this case, the group uses a special code routine to expand the cominna instead of the standard botnet and runtime ware module.

In addition, Sly's malware author hides secret botnets behind a constantly changing proxy service

However, the scanner module can do more than doing credit. Researchers say this module can also be carried …

Hope you like the news New XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo. Stay Tuned For More Updates 🙂

Compsmag