XBash – Data Wiper, Bot & Ransom- Linux & Windows

Home/Ransomware, Tips/XBash – Data Wiper, Bot & Ransom- Linux & Windows

XBash – Data Wiper, Bot & Ransom- Linux & Windows

Revolution and Evolution is Persistent on Malware’s and Ransomware’s. After seeing Specially X Bash it’s been proved the threat is getting high day by day. Xbash carrying Data Destructive capabilities, Ransomware, Botnet, Coin-miner and much more ? Xbash Remember’s  Saudi Arabia Data -Wiping Malware Incident.

Immediate Action Required to block the IOC’s and make sure you SOC is actively monitoring the activities. If any IOC’s observations in your environment jump into actions immediately without delaying, else you don’t know how much Data Gonna be Shredded.

X – Bash Capabilities

  • Data Destruction with no Recovery Option

  • Much Stronger than Petya / WannaCry Ransomware

  • Open Vulnerabilities are utilized effectively

  • Self Propagation Capabilities

  • Specially, Deletes Linux based Databases

  • Victim’s are already paid for this, but not recovered any data

  • Perform Crypto Mining and Ransomware Infections

Researchers’s from PaloAlto identified different versions of XBash, which confirms the increase in malware capabilities. Every versions has the capabilities increased on one another

Malware equipped in Python which Target’s IP Addresses and Domain Names, Specially Windows and Linux Servers Vulnerabilities, specially if Redis is utilized. Equipped with Intranet Scanning facility of scanning the vulnerable servers, which helps in marking the target to attack.

Regular Botnets scans for the IP Addresses and utilizes the compromised ones, but Xbash is evolved a step ahead which has the capability to scan the IP address and website.

Three types of C2 communications are effectively communicated by Xbash. 1. Fetch the List of IP Addresses and Domains, 2. Fetches list of weak passwords and 3. Reports the scan results to take further actions.

Ports to Monitor by SOC Team for Suspicious Traffic and to Protect if you are using the below:

  • HTTP: 80, 8080, 8888, 8000, 8001, 8088
  • VNC: 5900, 5901, 5902, 5903
  • MySQL: 3306
  • Memcached: 11211
  • MySQL/MariaDB: 3309, 3308,3360 3306, 3307, 9806, 1433
  • FTP: 21
  • Telnet: 23, 2323
  • PostgreSQL: 5432
  • Redis: 6379, 2379
  • ElasticSearch: 9200
  • MongoDB: 27017
  • RDP: 3389
  • UPnP/SSDP: 1900
  • NTP: 123
  • DNS: 53
  • SNMP: 161
  • LDAP: 389
  • Rexec: 512
  • Rlogin: 513
  • Rsh: 514
  • Rsync: 873
  • Oracle database: 1521
  • CouchDB: 5984

CAUTION: If Xbash success into your MsSQL, MongoDB and PostgreSQL it will delete all the Databases. If you have any Database Name as “PLEASE_READ_ME to PLEASE_README_XYZ” which confirms your Database environment is compromised.

Indicators of Compromise – Referred from Researchers:

Samples for Linux

7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa  zlibx

0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641  Xbash

dbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54  xapache

5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d  libhttpd

e59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c  XbashX

f808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc  XbashY

dcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff  rootv2.sh

de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d  lowerv2.sh

09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885  rootv2.sh

a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af  r88.sh

Samples for Windows

f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8  tt.txt

31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78  tg.jpg

725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054  reg9.sct

d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6  m.png

ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50  tmp.jpg

Downloading URLs

hxxp://3g2upl4pq6kufc4m[.]tk/zlibx

hxxp://e3sas6tzvehwgpak[.]tk/XbashY

hxxp://3g2upl4pq6kufc4m[.]tk/XbashY

hxxp://3g2upl4pq6kufc4m[.]tk/xapache

hxxp://3g2upl4pq6kufc4m[.]tk/libhttpd

hxxp://xmr.enjoytopic[.]tk/l/rootv2.sh

hxxp://xmr.enjoytopic[.]tk/l2/rootv2.sh

hxxp://xmr.enjoytopic[.]tk/l/r88.sh

hxxp://xmr.enjoytopic[.]tk/12/r88.sh

hxxp://e3sas6tzvehwgpak[.]tk/lowerv2.sh

hxxp://3g2upl4pq6kufc4m[.]tk/r88.sh

hxxp://e3sas6tzvehwgpak[.]tk/XbashY

hxxp://e3sas6tzvehwgpak[.]tk/XbashX

hxxp://png.realtimenews[.]tk/m.png

hxxp://daknobcq4zal6vbm[.]tk/tt.txt

hxxp://d3goboxon32grk2l[.]tk/reg9.sct

Domains for C2 Communication

ejectrift.censys[.]xyz

scan.censys[.]xyz

api.leakingprivacy[.]tk

news.realnewstime[.]xyz

scan.realnewstime[.]xyz

news.realtimenews[.]tk

scanaan[.]tk

scan.3g2upl4pq6kufc4m[.]tk

scan.vfk2k5s5tfjr27tz[.]tk

scan.blockbitcoin[.]tk

blockbitcoin[.]com

IPs for C2 Communication

142.44.215[.]177

144.217.61[.]147

URLs for C2 Domain Updating

hxxps://pastebin[.]com/raw/Xu74Mzif

hxxps://pastebin[.]com/raw/rBHjTZY6

Bitcoin Wallet Addresses in Ransom Messages

1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr

1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1

1ExbdpvKJ6M1t5KyiZbnzsdQ63SEsY6Bff

Email Addresses in Ransom Messages

backupsql@protonmail[.]com

backupsql@pm[.]me

backupdatabase@pm[.]me

 

Make sure the Actions are taken ASAP to avoid the impact. Data Destruction make sure it’s not ON in your environment.

 

By | 2018-09-20T12:12:23+00:00 September 20th, 2018|Ransomware, Tips|

About the Author:

FirstHackersNews- Identifies Security