1. Home
  2. Software
  3. Xbash

Xbash

Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]

ID: S0341
Type: MALWARE
Platforms: Windows, Linux
Version: 1.2
Created: 30 January 2019
Last Modified: 23 June 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Xbash can create a Startup item for persistence if it determines it is on a Windows system.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[1]
.005 命令与脚本解释器: Visual Basic

Xbash can execute malicious VBScript payloads on the victim’s machine.[1]
.007 命令与脚本解释器: JavaScript

Xbash can execute malicious JavaScript payloads on the victim’s machine.[1]
Enterprise T1203 客户端执行漏洞利用

Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

Xbash uses HTTP for C2 communications.[1]
Enterprise T1486 数据加密以实现影响

Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[1]
Enterprise T1485 数据销毁

Xbash has destroyed Linux-based databases as part of its ransomware capabilities.[1]

Enterprise T1110 .001 暴力破解: Password Guessing

Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[1][2]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Xbash can use mshta for executing scripts.[1]
.010 系统二进制代理执行: Regsvr32

Xbash can use regsvr32 for executing scripts.[1]
Enterprise T1016 系统网络配置发现

Xbash can collect IP addresses and local intranet information from a victim’s machine.[1]
Enterprise T1102 .001 网络服务: Dead Drop Resolver

Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[1]
Enterprise T1046 网络服务发现

Xbash can perform port scanning of TCP and UDP ports.[1]
Enterprise T1105 输入工具传输

Xbash can download additional malicious files from its C2 server.[1]
Enterprise T1053 .003 预定任务/作业: Cron

Xbash can create a cronjob for persistence if it determines it is on a Linux system.[1]

References

  1. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  1. Trend Micro. (2018, September 19). New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet. Retrieved June 4, 2019.