Xbash: A Mining Virus Featuring Ransomware

Sangfor Elsa Posted 21 Sep 2018 12:43

Last edited by Sangfor Elsa 21 Sep 2018 12:45.

A security research team recently discovered a new type of malicious virus, Xbash, which takes aim at Linux and Windows servers. Xbash has the core functions of ransomware and self-propagating capabilities.

Xbash mainly uses weak passwords and unfixed vulnerabilities, including vulnerability in Hadoop YARN ResourceManager that allows command execution without verifying identify, vulnerability in ActiveMQ that allows writing in arbitrary file, vulnerability in Redis that allows writing in arbitrary file and remote command execution.

It's worth noting that Xbash is more of a data eraser than a ransomware. From this point, it is very similar to NotPetya. It will cause permanent damage to the victim's data. Even if the victim has paid the ransom, the data cannot be restored.

However it is inappropriate to say that it resembles WannaCry, as the rumors found on the Internet. What WannaCry leverages are system-level vulnerabilities covering basically all OS versions of Windows PC and servers. Xbash mostly targets at Web servers, database servers and unauthorized servers with weak passwords and unfixed vulnerabilities.

Sample Analysis
Xbash is developed in Python and then converted to Portable Executable (PE) file to evade detection, assuring installation and execute commands cross platforms.

Xbash gains public IP address through http://ejectrift.censys.xyz/cidir and then perform scan on the Web port, as shown below:


The ports are as follows:

HTTP: 8088,8000,8080,80
Figure 5900,59015902,99009901,9902
CPU: 3389 Cores
Oracle: 1521
Rsync: 873
Mssql: 1433
Mysql: 306
Postgresql: 5432
Redis: 6379,7379
Elasticsearch:9 200
Memcached:1 1211
Mongodb: 27017

Xbash uses weak passwords and built-in dictionary in its attacks against services on Rsync, VNC, phpmyadmin, MySQL, postgresql, mongodb and redis.

If successfully logs into the web service on MySQL, MongoDB, PostgreSQL, it may delete the database on server, create a new one and write message to demand for ransom.

The following vulnerabilities may be exploited to spread the ransomware, as shown below:

Hadoop YARN ResourceManager vulnerability allows execution without verifying the identify


ActiveMQ vulnerability allows writing in arbitrary file
Redis vulnerability allows writing in arbitrary file and remote execution
It writes in a corresponding Crontab task to start up automatically, according to the schedule and downloaded mining script. After removing all other family of mining program on Linux based system, it downloads and executes its own mining program.

1. Change computer password to a stronger one. Avoid using the same passwords for different computers because if one computer is compromised, all other computers may also be compromised.
2. Keep the malware signature database on your Sangfor NGAF up to data to enable Xbash traffic detection.
3. Enable WAF on your Sangfor NGAF and prevent Xbash attacks against websites.
4. Sangfor NGAF can prevent brute-force attacks. Turn on brute-force attack prevention NGAF.
5. Perform security scan and virus removal on the whole network. We recommend Sangfor NGAF and EDR tool to detect, prevent and protect your internal network. And for individuals, download and install the following tool: http://go.sangfor.com/edr-tool-20180921

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Faisal Posted 16 Jul 2020 18:38
Change computer password to a stronger one: is good solutuion.
Faisal Posted 18 Jul 2020 21:00
Thank you very much for the information ...
Muhammad Bilal Lv4Posted 27 Jul 2020 14:42
Great! information sharing
Faisal Posted 06 Nov 2020 06:32
Nice article ...
dewiclements Lv1Posted 27 Feb 2023 21:40
Great information, thank you for sharing!

Trending Topics

Board Leaders