Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Xbash can create a Startup item for persistence if it determines it is on a Windows system.[1] |
Enterprise | T1110 | .001 | Brute Force: Password Guessing |
Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[1][2] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[1] |
.005 | Command and Scripting Interpreter: Visual Basic |
Xbash can execute malicious VBScript payloads on the victim’s machine.[1] |
||
.007 | Command and Scripting Interpreter: JavaScript |
Xbash can execute malicious JavaScript payloads on the victim’s machine.[1] |
||
Enterprise | T1485 | Data Destruction |
Xbash has destroyed Linux-based databases as part of its ransomware capabilities.[1] |
|
Enterprise | T1486 | Data Encrypted for Impact |
Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[1] |
|
Enterprise | T1203 | Exploitation for Client Execution |
Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[1][2] |
|
Enterprise | T1105 | Ingress Tool Transfer |
Xbash can download additional malicious files from its C2 server.[1] |
|
Enterprise | T1046 | Network Service Scanning | ||
Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
Xbash can create a cronjob for persistence if it determines it is on a Linux system.[1] |
Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta | |
.010 | Signed Binary Proxy Execution: Regsvr32 | |||
Enterprise | T1016 | System Network Configuration Discovery |
Xbash can collect IP addresses and local intranet information from a victim’s machine.[1] |
|
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[1] |