Security Experts:

Connect with us

Hi, what are you looking for?



Destructive Xbash Linux Malware Targets Enterprise Intranets

A newly discovered piece of Linux malware that features both ransomware and crypto-currency mining capabilities appears designed to target enterprise intranets, Palo Alto Networks security researchers say.

A newly discovered piece of Linux malware that features both ransomware and crypto-currency mining capabilities appears designed to target enterprise intranets, Palo Alto Networks security researchers say.

Dubbed Xbash and believed to be tied to the Iron Group, a threat actor known for previous ransomware attacks, the malware can target both Linux and Windows servers.

It contains a Python class that allows it to find IP addresses on a subnet and scan the ports on these IPs, likely to spread to the local network. In addition to self-propagating capabilities, the malware contains functionality not yet implemented that could allow it to spread fast within an organization’s network.

The servers that provide services internally on an enterprise network are more likely to be configured with weak credentials or to be unprotected compared to those accessible over the public web.

“We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled,” Palo Alto Networks says.

Xbash, the researchers discovered, spreads by targeting weak passwords and unpatched vulnerabilities.

As part of its ransomware capabilities, it destroys Linux-based databases. It deletes resources such as MySQL, PostgreSQL and MongoDB databases, but contains no functionality that would allow their recovery once a ransom has been paid. The malware can ensnare targeted Linux-based systems in a botnet.

The Microsoft Windows-based systems, on the other hand, are only targeted for crypto-mining and self-propagation (it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for spreading), the security researchers have discovered.

To date, the malware made at least 48 victims who already paid the ransom, incoming transactions to the used wallets reveal. The cybercriminals behind the threat made about 0.964 Bitcoin ($6,000) to date.

Developed using Python, Xbash was then converted into self-contained Linux ELF executables using PyInstaller, which can create binaries for multiple platforms and also provides anti-detection. The malware fetches from the command and control (C&C) server the list of IP addresses to target.

The security researchers discovered four versions of Xbash so far and concluded that the malware is under active development. The botnet appears to have started operating as early as May 2018.

The malware has multiple domains hard-coded and also fetches a webpage hosted on Pastebin to update the list (some of the domains have been previously associated with the Iron Group). Communication with the C&C is performed using HTTP.

In addition to IP addresses, Xbash targets domains, the security researchers say. This makes the threat a next step in the evolution of botnets, as they normally only target IPs.

The malware scans many TCP or UDP ports for spreading purposes, namely those associated with HTTP, VNC, MySQL, Memcached, MySQL/MariaDB, FTP, Telnet, PostgreSQL, Redis, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, Rsync, Oracle database, and CouchDB.

“Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group,” Palo Alto Networks concludes.

Related: New Backdoor Based on HackingTeam’s Surveillance Tool

Related: Cross-Platform Mirai Variant Leverages Open-Source Project

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.