Xbash Malware Combines Many Malicious Functions in Worm

Xbash Malware Combines Many Malicious Functions in Worm

September 30, 2018 | Adeline Zhang

Unit 42, a research team of Palo Alto Networks found a new malware family this month and named it Xbash. This new malware combines ransomware, coinming, botnet, and worm features and targets Linux and Windows mainly.

Xbash is developed in Python and was then converted into self-contained Linux ELF executables by abusing the legitimate tool Pylnstaller for distribution.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya),”  reads the report published by Pola Alto Networks,  “After further investigation we realized it’s a combination of botnet and ransomware that was developed by an active cybercrime group Iron (aka Rocke) this year. ”

The researchers also described the exploitation for propagation in the report. They found that when Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.Three known vulnerabilities are targeted:

  • Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
  • Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
  • ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.

Researchers concluded in the report:

“Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group. Based on its characteristics and behaviors, we observe the following:

  • Attackers are expanding their profit-making ways beyond mining cryptocurrency to hijacking or ransoming for cryptocurrency
  • Attackers are expanding territory by scanning domain names and by attacking enterprise Intranet
  • Attackers are looking for more potential victims by gathering more vulnerabilities from everywhere, no matter whether the vulnerability is new or old, and no matter whether a CVE number was assigned or not
  • Different types of script files are important actors between exploiting and malware execution”

Visit the report for more information.


Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation.

NSFOCUS suggests users not publishing your Hadoop port on the Internet if it is used for intranet services only. Keep your software updated in time. Hadoop 2.X and its later versions support Kerberos security authentication. We recommend users to enable this function.

Redis exposed on the Internet but lack of authentication and security policies is vulnerable to attacks. NSFOCUS recommends users to enable Redis authentication and add IP address restrictions.

Active MQ versions 5.0.0 to 5.13 are easily exploited by attackers. We recommend users to upgrade your ActiveMQ software to version 5.14.0 or one of its later versions as Active MQ Fileserver that is vulnerable to attacks has been removed from these versions.