1. Home
  2. Software
  3. Xbash

Xbash

Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]

ID: S0341
Type: MALWARE
Platforms: Windows, Linux
Version: 1.2
Created: 30 January 2019
Last Modified: 23 June 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Xbash uses HTTP for C2 communications.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Xbash can create a Startup item for persistence if it determines it is on a Windows system.[1]
Enterprise T1110 .001 Brute Force: Password Guessing

Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[1][2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[1]
.005 Command and Scripting Interpreter: Visual Basic

Xbash can execute malicious VBScript payloads on the victim’s machine.[1]
.007 Command and Scripting Interpreter: JavaScript

Xbash can execute malicious JavaScript payloads on the victim’s machine.[1]
Enterprise T1485 Data Destruction

Xbash has destroyed Linux-based databases as part of its ransomware capabilities.[1]

Enterprise T1486 Data Encrypted for Impact

Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[1]
Enterprise T1203 Exploitation for Client Execution

Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[1][2]
Enterprise T1105 Ingress Tool Transfer

Xbash can download additional malicious files from its C2 server.[1]
Enterprise T1046 Network Service Discovery

Xbash can perform port scanning of TCP and UDP ports.[1]
Enterprise T1053 .003 Scheduled Task/Job: Cron

Xbash can create a cronjob for persistence if it determines it is on a Linux system.[1]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Xbash can use mshta for executing scripts.[1]
.010 System Binary Proxy Execution: Regsvr32

Xbash can use regsvr32 for executing scripts.[1]
Enterprise T1016 System Network Configuration Discovery

Xbash can collect IP addresses and local intranet information from a victim’s machine.[1]
Enterprise T1102 .001 Web Service: Dead Drop Resolver

Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[1]

References

  1. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  1. Trend Micro. (2018, September 19). New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet. Retrieved June 4, 2019.