Xbash malware is one of many new malware threats to be discovered in recent weeks that uses the file-encrypting features  of ransomware with the coin mining functionality of cryptocurrency mining malware.

In 2018, several cybersecurity and threat intelligence companies have reported that ransomware attacks have fallen. Ransomware campaigns are still profitable, although it is possible to make more money through cryptocurrency mining.

The recent Internet Organized Crime Threat Report issued by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue generator for hackers, but that “ransomware remains the key malware threat”.  Europol has reported that a decline has been seen in random attacks using spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.

Another emerging trend provides cybercriminals the best of both worlds – the use of versatile malware that have the features of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.

Xbash malware is one of these threats, albeit with one major caveat. Xbash malware cannot to restore files. In that regard it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being given to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is switched off if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is enabled.

Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting weaknesses in Hadoop, ActiveMQ and Redis services.

Xbash malware has been developed in Python and compiled into a portable executable (PE) format using PyInstaller. The malware will run its file encrypting/deletion process on Linux systems and use JavaScript or VBScript to download and run a coinminer on Windows systems. Palo Alto Networks’ Unit42 has attributed the malware to a threat group referred to as Iron Group, which has previously been linked with ransomware attacks.

At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services.  Protection against this threat requires the use of strong, unique non-default passwords, swift patching, and endpoint security solutions. Preventing access to unknown hosts on the Internet will stop communication with its C2 if it is downloaded, and naturally it is important that multiple backups are regularly made to ensure file recovery is possible.

Kaspersky Lab discovered there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to rise. This type of versatile malware could well prove to be the prevalent malware for hacker over the next year.