Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Xbash Malware Uninstalls Cloud Security Products

Recent samples of the destructive Xbash Linux malware can uninstall cloud security protection products from infected servers, Palo Alto Networks reports. 

Recent samples of the destructive Xbash Linux malware can uninstall cloud security protection products from infected servers, Palo Alto Networks reports. 

First detailed last year, the malware features a broad set of malicious capabilities, ranging from ransomware and crypto-currency mining to self-propagation, database deletion, and the enrolling of compromised servers into a botnet. 

The malware is used by a group referred to as Rocke, which is associated with the Iron cybercrime group. More recent samples of Xbash include new code to uninstall five different cloud security protection and monitoring products from infected Linux servers, Palo Alto Networks’ security researchers say. 

As part of the attacks, the malware first gains full administrative control over the hosts and abuse those rights to uninstall said products just as a legitimate administrator would. The targeted products are developed by Tencent Cloud and Alibaba Cloud (Aliyun). 

“To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products,” Palo Alto Networks notes

The Rocke threat actor is mainly focused on mining the Monero cryptocurrency on compromised Linux machines. For that, the group targets vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion to compromise systems and install their malicious code.

After establishing a connection to the command and control (C&C) server, the first stage malware downloads a shell script to achieve persistence, kill other crypto mining processes, block other crypto mining malware, uninstall agent-based cloud security products, fetch and run UPX packed coin miner, hide the process from Linux ps command, and adjust malicious file date time.

The attack reveals a new set of threats targeting the Cloud Workload Protection Platforms (CWPPs) market defined by Gartner (agent-based workload-centric security protection solutions), Palo Alto Networks points out.

Cloud service providers develop their own CWPPs to mitigate malware attacks on public cloud infrastructure (third-party cybersecurity companies also provide CWPPs), but threat actors attempt to evade these products. 

Rocke’s malware initially only attempted to kill the Tencent Cloud Monitor process, but now it uninstalls cloud security products by Alibaba Cloud and Tencent Cloud, to ensure that agent-based cloud security products can’t detect its malicious behavior. 

Both Alibaba Cloud and Tencent Cloud provide customers with details on the uninstallation procedure for their products, and the Xbash malware follows those steps, the security researchers reveal. As soon as the uninstallation has been completed, the malware starts its nefarious routines. 

“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure,” Palo Alto Networks says. 

Related: Destructive Xbash Linux Malware Targets Enterprise Intranets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...