Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]

ID: S0341
Platforms: Windows, Linux

Version: 1.0

Techniques Used

EnterpriseT1110Brute ForceXbash can obtain a list of weak passwords from the C2 server to use for brute forcing.[1]
EnterpriseT1203Exploitation for Client ExecutionXbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[1]
EnterpriseT1168Local Job SchedulingXbash can create a cronjob for persistence if it determines it is on a Linux system.[1]
EnterpriseT1170MshtaXbash can use mshta for executing scripts.[1]
EnterpriseT1046Network Service ScanningXbash can perform port scanning of TCP and UDP ports.[1]
EnterpriseT1086PowerShellXbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[1]
EnterpriseT1060Registry Run Keys / Startup FolderXbash can create a Startup item for persistence if it determines it is on a Windows system.[1]
EnterpriseT1117Regsvr32Xbash can use regsvr32 for executing scripts.[1]
EnterpriseT1105Remote File CopyXbash can download additional malicious files from its C2 server.[1]
EnterpriseT1064ScriptingXbash can execute malicious JavaScript and VBScript payloads on the victim’s machine.[1]
EnterpriseT1071Standard Application Layer ProtocolXbash uses HTTP for C2 communications.[1]
EnterpriseT1016System Network Configuration DiscoveryXbash can collect IP addresses and local intranet information from a victim’s machine.[1]
EnterpriseT1102Web ServiceXbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[1]