Xbash, the next generation malware

Technological developments are fast, but not every development is a good one. A new and very complex malware has emerged that attacks both Windows and Linux and also has the ability to attack MacOS in the future.

This latest threat was found by Unit 42 of Palo Alto Networks and has been given the name Xbash. The malware is attributed to the infamous cybercrime organization Iron Group. It combines setting up a botnet, coin-mining, ransomware and can spread itself. It attacks Linux systems with its ransomware and botnet capabilities. It attacks Windows systems with its coin-mining and distribution capabilities.

What we did

No one except technical staff of 1A has access to the console of the 1A-servers. This makes the chance that it can become infected virtually nil. Two of the three database types that are attacked by Xbash run on the 1A-servers, but are not available on the network by default and are therefore not vulnerable to it. In addition, every day a backup is made of these databases, regardless of your subscription.

In addition, the wwwfilter software is available on the 1A-server. It blocks requests to the registered addresses for all devices behind the 1A-server using various lists. The list ‘FASEC’ is managed by us. We have recently added the category ‘malware’, which contains the known addresses which Xbash uses.

What can you do?

Protection against this malware is no different than for other malware. Always use strong, non-standard passwords. Are you prone to forgetting them? Then you can opt for using a password vault, such as LastPass, or other similar solutions. Always install the latest security updates and frequently update virus scanners on all devices. Also ensure you have backups which go back several intervals (the so-called retention), such as our Rsnapshot backups.

If you are not already using wwwfilter, ask your 1A-partner to enable it. This functionality is part of the standard 1A-support subscription and does not add extra costs. Once it is enabled, you can activate the FASEC/malware list in the 1A manager (internet > wwwfilter). It is advisable to also activate FASEC/phishtank. Phishing is such a big problem that we have devoted an entire page to it.

It is also very important to never respond to requests for ransom. Often this does not lead anywhere and it only stimulates cyber criminals to invest more in malware.

Technical summary

The software is written in the Python programming language, which makes further development relatively easy. It is therefore expected that the malware will further evolve. Because the software is packaged with the legitimate PyInstaller to an executable file, it has no dependencies. To date, this is only done for Linux, but can also theoretically be transferred to Windows and MacOS with ease.

The malware attacks other Linux and Windows systems over the network, using a list of weak passwords and known vulnerabilities. It is divided into a number of components:

  • The ransomware component attacks MySQL, PostgreSQL and MongoDB databases and tries to remove them. A database is created with a ransom message in it. It is said that the databases are backed up and that they are restored after payment of the ransom, but that turns out to be a lie.
  • The botnet component makes the server responsive to commands from the criminals’ servers. They can then be used for all sorts of illegal activities, such as further spreading of malware, but also attacks on other servers.
  • The coin-mining component does nothing more than generate crypto-currency for the criminals’ digital wallets.
  • The distribution features abuse known vulnerabilities in a number of software packages.

The research report can be found on the Palo Alto website.


Richard de Vroede

A perfectionistic Jack-of-all-trades who dedicates all of his passion to his work.