Cryptomining, ransomware, and botnet capabilities using Xbash malware for Windows and Linux servers
The new malware strain, dubbed Xbash, was recently discovered by Palo Alto Networks.  The deadly virus has ransomware,  cryptojacking, botnets and worms and is aimed at Windows and Linux servers. The most vulnerable are those that do not apply patches to their systems, in addition to victims who use passwords and weak usernames.
Ryan Olson, vice president of threat intelligence at unit 42, said:
Overall, we did not [before] saw this combination of ransomware, coinmining, worming and targeting capabilities for both systems Linux for Windows systems.
According to the researchers, Xbash malware can be linked to Iron Group hackers,  who actively distributed ransomware in past years, as well as infecting computers with cryptocurrency malware. The group is known for its Monero mining habits and can also be traced to China.
The will of criminals to change the business model from ransomware to criptomining is quite common, as it seems to be more profitable. This is why Iron Cybercrime Group was spreading the devastating Rocke virus since 2018, which was abusing system resources to extract Monero.
Unfortunately for the victims, however, hackers have now invented malware that combines many aspects, allowing it to self-propagate and inject selectively coinminer into Windows systems while collecting ransomware-type infection for Linux.
Xbash infection functions as a botnet for all malicious activities. The Internet scanner targets devices that have unpatched software or use weak security credentials.
Linux servers suffer from traditional ransomware functionality
The group of 42 experts said that Xbash attacks Windows and Linux differently. The ransomware and botnet features used when targeting Linux servers and cryptocurrency mining are propagated on Windows OS servers.
Xbash Ransomware is designed to delete databases on target Linux systems. As a typical crypto-extortioner, this virus requires that you pay for the encrypted data inside the ransom note that remains after the MySQL, MongoDB, and PostgreSQL databases have been deleted. However, it is not possible to restore files after encryption, so users who pay criminals lose their money. The malware is not configured to back up encrypted data.
The victim is asked to pay 0.02 Bitcoins to recover locked files. The Bitcoin portfolio associated with hackers has already received 0.96 BTC from 48 transactions.
Windows servers are used to undermine cryptocurrency on the infected network
While the Linux operating system can be infected while using exploits to use Hadoop, Redis or ActiveMQ servers, Windows machines can be affected only if the point input is a Redis server  sensitive. Instead of the standard ransomware and the botnet, a different module is loaded, while the coin-mining segment is downloaded.
According to searches, the scanning module is able to scan Windows services that have not been protected when connecting to the Internet. Even those who use weak usernames and passwords are at risk.
The Xbash botnet module will attempt to run the brute-force  for the following services:
- Oracle DB  FTP
- MySQL, etc.
The broad scan allows hackers to reach the number of infected machines much more quickly, which means that profits from coin mining increase rapidly, even if at the moment it is not known how much the actors bad guys have gained so far from this activity.
In addition, the worm component of Xbash allows self-propagation within the company network immediately. However, research says this feature is not yet fully developed. The worm is designed to check a long list of ports and services before infecting all the machines on the network.
To conclude, Xbash will most likely come back even stronger with improved functionality and the coin-mining function for Linux operating systems, allowing hackers to earn even more than they do now.