A new malware known as ‘Xbash’ has been discovered by Unit 42 researchers, a blog post at Palo Alto Networks has reported. This malware is unique in its targeting power and affects Microsoft Windows and Linux servers simultaneously. Researchers at Unit 42 have tied this malware to Iron Group which is a threat actor group previously known for ransomware attacks.
According to the blog post, Xbash has coinmining, self-propagating and ransonware capabilities. It also possesses some capabilities which are when implemented, can enable the malware to spread fairly rapidly within an organization’s network, in similar ways like WannaCry or Petya/NotPetya.
Commenting on the characteristics of this new malware, Unit 42 researchers wrote, “Recently Unit 42 used Palo Alto Networks WildFire to identify a new malware family targeting Linux servers. After further investigation we realized it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year. We have named this new malware “Xbash”, based on the name of the malicious code’s original main module.”
Xbash mainly spreads by targeting any unpatched vulnerabilities and weak passwords. It is data-destructive, implying that it destroys Linux-based databases as its ransomware capabilities. No functionalities are also present within Xbash that would restore the destroyed data after the ransom is paid off.
Contrary to previous famous Linux botnets like Gafgyt and Mirai, Xbash is a next-level Linux botnet which extends its target to public websites as it targets domains and IP addresses.
Submitted by :Arnfried Walbrecht