Palo Alto Networks Unit 42 computer security researchers have published a research report that reveals a new malware called Xbash that combines botnet, ransomware and cryptomining techniques to compromise Windows and Linux servers.
The publication says it is a new malware family associated with the Iron Group of hackers known for their past ransomware attacks. However, Xbash has shown a much more complex attack vector, combining the exploitation of multiple vulnerabilities and weak passwords.
Researchers claim that unlike other types of ransomware, Xbash includes a data erasure feature that is enabled by default and does not provide the ability to perform file restores to prevent the recovery of compromised data.
On the other hand, it was known that the ransomware and botnet components of this malware running on Linux servers with unprotected functions and services where they remove databases and ask for rescue in Bitcoin (BTC). In the case of cryptomining mining modules, these refer to Windows systems with previously revealed vulnerabilities without security patches, such as Redis or ActiveMQ.
This malware’s scale in terms of self-expandability allows it to be compared with NotPetya and WannaCry, which included instant distribution capabilities in the home and corporate networks. In addition, Xbash includes features that prevent it from being detected by antivirus software, including its malicious behavior.
At this moment, we know that the malware is proactive, as Unit 42 has found transactions in the order of $6,000 in the rescue effort. To counter this threat, researchers recommend changing your passwords and using secure password combinations, as well as installing the latest security updates and programs for your operating system on your PC.