Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]

ID: S0341
Platforms: Windows, Linux
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[1][2]
Enterprise T1485 Data Destruction Xbash has destroyed Linux-based databases as part of its ransomware capabilities. [1]
Enterprise T1486 Data Encrypted for Impact Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[1]
Enterprise T1203 Exploitation for Client Execution Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[1][2]
Enterprise T1168 Local Job Scheduling Xbash can create a cronjob for persistence if it determines it is on a Linux system.[1]
Enterprise T1170 Mshta Xbash can use mshta for executing scripts.[1]
Enterprise T1046 Network Service Scanning Xbash can perform port scanning of TCP and UDP ports.[1]
Enterprise T1086 PowerShell Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Xbash can create a Startup item for persistence if it determines it is on a Windows system.[1]
Enterprise T1117 Regsvr32 Xbash can use regsvr32 for executing scripts.[1]
Enterprise T1105 Remote File Copy Xbash can download additional malicious files from its C2 server.[1]
Enterprise T1064 Scripting Xbash can execute malicious JavaScript and VBScript payloads on the victim’s machine.[1]
Enterprise T1071 Standard Application Layer Protocol Xbash uses HTTP for C2 communications.[1]
Enterprise T1016 System Network Configuration Discovery Xbash can collect IP addresses and local intranet information from a victim’s machine.[1]
Enterprise T1102 Web Service Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[1]