Threat Report Xbash: What is Xbash and How Does it Work?

Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.

Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution. It can also destroy Linux-based databases as part of its ransomware capabilities, and can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.Xbash uses HTTP for C2 communications, and can obtain a webpage hosted on Pastebin to update its C2 domain list. It can also use regsvr32 for executing scripts, and can create a Startup item for persistence if it determines it is on a Windows system. Additionally, Xbash can execute malicious JavaScript payloads on the victim

Xbash Malware Capabilities

Xbash may use a number of methods to avoid detection and execute code on target systems, including abusing PowerShell commands and scripts, destroying data, exploiting software vulnerabilities, and communicating using application layer protocols. Xbash may also achieve persistence by adding entries to the startup folder or Registry.

The Xbash malware may attempt to gain access to systems and networks by guessing passwords, scanning for vulnerable services, and enumerating network configuration details. Once present on a system, Xbash may schedule malicious code to run using the cron utility, and may also transfer tools and files between victim devices within a compromised environment. Additionally, Xbash may abuse Visual Basic and mshta.exe to proxy execution of malicious code.

• Xbash may use PowerShell commands and scripts for execution, which can be used to perform a number of actions, including discovery of information and execution of code. Xbash may also exploit software vulnerabilities in client applications to execute code.
• The Xbash malware may use various methods to avoid detection and gain remote access to a system, including communication via web traffic protocols and posting content on legitimate web services. Once a system is infected, the malware may use the Regsvr32.exe program to proxy execution of malicious code.
• Xbash may use a variety of methods to gain persistence on a system or network, including adding programs to startup folders or referencing them in Registry run keys. Xbash may also abuse JavaScript for execution. Additionally, Xbash may encrypt data on target systems in order to render it inaccessible and extort a ransom from the victim.
• Xbash may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
• Xbash may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
• The Xbash malware may use the cron utility to schedule the execution of malicious code, and may also transfer tools or other files from an external system into a compromised environment. Additionally, Xbash may abuse Visual Basic for execution.

Ways to Mitigate Xbash Malware Attacks

• The Xbash malware can be mitigated by setting the proper execution policy, using process monitoring to monitor for suspicious activity, and by detecting software exploitation.
• The Xbash malware attack can be mitigated by analyzing network data for uncommon data flows, host data that can relate unknown or suspicious process activity, and using process monitoring to monitor the execution and arguments of regsvr32.exe.
• The Xbash malware can be mitigated by monitoring for changes in the registry and start folder, as well as for events associated with scripting execution. Process monitoring can also be used to detect suspicious activity related to data destruction.
• The article discusses how to mitigate Xbash malware attacks. First, it is recommended to monitor authentication logs for system and application login failures. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Secondly, system and network discovery techniques should be used to identify potential lateral movement by the adversary.
• The Xbash malware can be mitigated by monitoring for file creation and transfers into the network, as well as for events associated with VB execution. These actions may be related to network and system information collection or other post-compromise behaviors, and could be used as indicators of detection leading back to the source.

About Iron group Threat Group

Iron group has developed malware for multiple platforms that has successfully infected at least a few thousand victims.