Revolution and Evolution is Persistent on Malware’s and Ransomware’s. After seeing Specially X Bash it’s been proved the threat is getting high day by day. Xbash carrying Data Destructive capabilities, Ransomware, Botnet, Coin-miner and much more ? Xbash Remember’s Saudi Arabia Data -Wiping Malware Incident.
Immediate Action Required to block the IOC’s and make sure you SOC is actively monitoring the activities. If any IOC’s observations in your environment jump into actions immediately without delaying, else you don’t know how much Data Gonna be Shredded.
X – Bash Capabilities
Data Destruction with no Recovery Option
Much Stronger than Petya / WannaCry Ransomware
Open Vulnerabilities are utilized effectively
Self Propagation Capabilities
Specially, Deletes Linux based Databases
Victim’s are already paid for this, but not recovered any data
Perform Crypto Mining and Ransomware Infections
Researchers’s from PaloAlto identified different versions of XBash, which confirms the increase in malware capabilities. Every versions has the capabilities increased on one another
Malware equipped in Python which Target’s IP Addresses and Domain Names, Specially Windows and Linux Servers Vulnerabilities, specially if Redis is utilized. Equipped with Intranet Scanning facility of scanning the vulnerable servers, which helps in marking the target to attack.
Regular Botnets scans for the IP Addresses and utilizes the compromised ones, but Xbash is evolved a step ahead which has the capability to scan the IP address and website.
Three types of C2 communications are effectively communicated by Xbash. 1. Fetch the List of IP Addresses and Domains, 2. Fetches list of weak passwords and 3. Reports the scan results to take further actions.
Ports to Monitor by SOC Team for Suspicious Traffic and to Protect if you are using the below:
- HTTP: 80, 8080, 8888, 8000, 8001, 8088
- VNC: 5900, 5901, 5902, 5903
- MySQL: 3306
- Memcached: 11211
- MySQL/MariaDB: 3309, 3308,3360 3306, 3307, 9806, 1433
- FTP: 21
- Telnet: 23, 2323
- PostgreSQL: 5432
- Redis: 6379, 2379
- ElasticSearch: 9200
- MongoDB: 27017
- RDP: 3389
- UPnP/SSDP: 1900
- NTP: 123
- DNS: 53
- SNMP: 161
- LDAP: 389
- Rexec: 512
- Rlogin: 513
- Rsh: 514
- Rsync: 873
- Oracle database: 1521
- CouchDB: 5984
CAUTION: If Xbash success into your MsSQL, MongoDB and PostgreSQL it will delete all the Databases. If you have any Database Name as “PLEASE_READ_ME to PLEASE_README_XYZ” which confirms your Database environment is compromised.
Indicators of Compromise – Referred from Researchers:
Samples for Linux
7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa zlibx
0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641 Xbash
dbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54 xapache
5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d libhttpd
e59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c XbashX
f808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc XbashY
dcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff rootv2.sh
de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d lowerv2.sh
09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885 rootv2.sh
a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af r88.sh
Samples for Windows
f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8 tt.txt
31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78 tg.jpg
725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct
d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png
ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 tmp.jpg
Downloading URLs
hxxp://3g2upl4pq6kufc4m[.]tk/zlibx
hxxp://e3sas6tzvehwgpak[.]tk/XbashY
hxxp://3g2upl4pq6kufc4m[.]tk/XbashY
hxxp://3g2upl4pq6kufc4m[.]tk/xapache
hxxp://3g2upl4pq6kufc4m[.]tk/libhttpd
hxxp://xmr.enjoytopic[.]tk/l/rootv2.sh
hxxp://xmr.enjoytopic[.]tk/l2/rootv2.sh
hxxp://xmr.enjoytopic[.]tk/l/r88.sh
hxxp://xmr.enjoytopic[.]tk/12/r88.sh
hxxp://e3sas6tzvehwgpak[.]tk/lowerv2.sh
hxxp://3g2upl4pq6kufc4m[.]tk/r88.sh
hxxp://e3sas6tzvehwgpak[.]tk/XbashY
hxxp://e3sas6tzvehwgpak[.]tk/XbashX
hxxp://png.realtimenews[.]tk/m.png
hxxp://daknobcq4zal6vbm[.]tk/tt.txt
hxxp://d3goboxon32grk2l[.]tk/reg9.sct
Domains for C2 Communication
ejectrift.censys[.]xyz
scan.censys[.]xyz
api.leakingprivacy[.]tk
news.realnewstime[.]xyz
scan.realnewstime[.]xyz
news.realtimenews[.]tk
scanaan[.]tk
scan.3g2upl4pq6kufc4m[.]tk
scan.vfk2k5s5tfjr27tz[.]tk
scan.blockbitcoin[.]tk
blockbitcoin[.]com
IPs for C2 Communication
142.44.215[.]177
144.217.61[.]147
URLs for C2 Domain Updating
hxxps://pastebin[.]com/raw/Xu74Mzif
hxxps://pastebin[.]com/raw/rBHjTZY6
Bitcoin Wallet Addresses in Ransom Messages
1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr
1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1
1ExbdpvKJ6M1t5KyiZbnzsdQ63SEsY6Bff
Email Addresses in Ransom Messages
backupsql@protonmail[.]com
backupsql@pm[.]me
backupdatabase@pm[.]me
Make sure the Actions are taken ASAP to avoid the impact. Data Destruction make sure it’s not ON in your environment.
Leave A Comment