Skip to content

S0341 Xbash

Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.1

Item Value
ID S0341
Associated Names
Version 1.2
Created 30 January 2019
Last Modified 23 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Xbash uses HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Xbash can create a Startup item for persistence if it determines it is on a Windows system.1
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.1
enterprise T1059.005 Visual Basic Xbash can execute malicious VBScript payloads on the victim’s machine.1
enterprise T1059.007 JavaScript Xbash can execute malicious JavaScript payloads on the victim’s machine.1
enterprise T1485 Data Destruction Xbash has destroyed Linux-based databases as part of its ransomware capabilities.1
enterprise T1486 Data Encrypted for Impact Xbash has maliciously encrypted victim’s database systems and demanded a cryptocurrency ransom be paid.1
enterprise T1203 Exploitation for Client Execution Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.12
enterprise T1105 Ingress Tool Transfer Xbash can download additional malicious files from its C2 server.1
enterprise T1046 Network Service Discovery Xbash can perform port scanning of TCP and UDP ports.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Xbash can create a cronjob for persistence if it determines it is on a Linux system.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Xbash can use mshta for executing scripts.1
enterprise T1218.010 Regsvr32 Xbash can use regsvr32 for executing scripts.1
enterprise T1016 System Network Configuration Discovery Xbash can collect IP addresses and local intranet information from a victim’s machine.1
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.1