skip to Main Content

Iron Group launches cyber attacks campaign with new Xbash malware

Palo Alto Networks Unit 42: Iron Group cybercriminals (aka Rocke) launched a wave of cyber attacks on Windows and Linux servers with new Xbash malware

The Iron Group cyber criminals (aka Rocke) have launched a wave of cyber attacks on Windows and Linux servers, using the new Xbash malware. It was discovered by the Palo Alto Networks Unit 42 cyber security researchers. The malicious hackers, known for their ransomware campaigns, use a code that has both this ability and that of making CoinMining. In addition, it has characteristics of a botnet and a worm as it can replicate itself, as the well known WannaCry and Petya/NotPetya. Finally, it’s able to spread rapidly in infected networks, although it seems that for the moment this peculiarity has not yet been activated. It does, however, attacking weak passwords or unpatched vulnerabilities.

The malicious code, which also has characteristics of worm, to propagate exploits attacks on weak passwords and unpatched vulnerabilities. Here are what they are

In detail, Xbash malware to propagate exploits remote code execution vulnerabilities in the Hadoop YARN Resource Manager; vulnerability in Redis, able to allow arbitrary writing of files and execution of commands remotely without authentication; Apache ActiveMQ vulnerability could allow arbitrary files to be loaded and executed on the system. In addition, the Iron Gorup cyber criminals are able with malicious code to perform active network scans and brute force attacks with predefined credentials on VNC, Rsync, MySQL, MariaDB, Memcached, PostgreSQL, MongoDB and phpMyAdmin network services. .

All the damages that Xbash can cause to a victim

Xbash, once permanently installed in the target system can delete data in compromised databases and request a ransom in Bitcoin (fake ransomware); download Trojan / Cryptominer malware to exploit the computational capacity of the victim host, causing severe slowdowns (Windows); download Trojan / Ransomware malware that can render data and files inside the infected machine (Windows) unusable. Furthermore, the Iron Group code has “anti-detection” capabilities. It can, in fact, obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis So much so that today, it has a detection rate of 1 out of 57.

The Palo Alto Networks post with the IOCs

Photo Credits: Palo Alto Networks

Back To Top