New Malware Techniques

Who doesn’t like efficiency? The good news is that Windows and Linux users may get to experience it soon. The not so good news is that the experience may be as part of an “all-inclusive” bit of malware. It packs not just a one-two punch, but more! It can mine cryptocurrency, execute ransomware, become a botnet, and self-propagate. And it’s all wrapped up in a nice little package.

Researchers at Palo Alto Networks found Xbash lurking around and believe that the Chinese speaking Iron Group (also known as Rocke) has their grubby hands in it. Besides the above capabilities, it has some yet-to-be functionality that can allow it spread very quickly once it’s in a network.

Xbash scans for open ports using a dictionary of weak usernames and passwords. Then it initiates a brute force attack. Once it finds vulnerabilities, it deletes databases and issues the ransom note.

There are a lot of terms in there, so let’s make it more understandable.

What is a bot?

It’s short for web robot. It’s a software app that performs automated tasks via the Internet. There are good and bad bots. For example, Amazon’s Alexa is a bot, as is Microsoft’s Cortana. But there are also bad ones, like Mirai.

What is a botnet?

The simple description is a number of connected devices that is running multiple bots. It can perform denial of service attacks (DOS), steal data, and distribute malware and spam en masse. The attacker has access to all of the connected devices.

What is ransomware?

It’s malicious software (malware) that can take over a device, encrypt data, and demand payment in some form from the victim. The attackers that use ransomware will often say they’ll give you the key to decrypt your data after you pay up, but they usually don’t, and/or the keys don’t work. That’s why it’s not recommended that you pay the ransom.

What is cryptocurrency?

It’s all the rage. It’s unregulated digital currency. Its value goes up and down like stocks. There is no central server or authority. It’s essentially a peer-to-peer monetary system. Transactions are confirmed by every cryptocurrency holder before they are deemed legitimate. This is all done digitally, of course and it takes a lot of energy resources to do this. That’s why it uses other machines to “mine” it. The mining is the digital verification of the transactions and it can slow systems and deplete batteries on mobile devices in a hurry. As a result of doing the work of mining, the miner is rewarded with the digital currency. That’s their “free money.”

Xbash can really do damage. Users should follow some basic cybersecurity guidelines to avoid it:

• Always change default passwords when installing anything new. This goes for hardware and software.
• Keep all systems updated with patches. This will help keep those holes that malware like this likes to find, plugged.
• Make sure all passwords are unique and are strong. This means they should be at least eight characters, have upper and lowercase letters, include numbers and special characters. They should not be actual dictionary words either, but something that can’t be easily guessed and used in a brute force attack.
• Perform regular backups of important systems and data. This will allow a restore to be done in case ransomware hits.
• Ensure all systems have anti-virus installed and it’s kept updated.
• Researchers estimate that Xbash has collected about $6,000 from 48 victims for the group thus far, as a result of the ransomware. However, it’s unknown if the money paid actually resulted in data recovery for the victims. The norm is that it isn’t. Instead of paying the ransom, make sure those backups are completed, stored off the network, and easy to retrieve.