In this week’s threat report we’re covering two stories, the discovery of XBash malware and an unground marketplace offering a compromised bank ATM and three different companies’ company websites for sale.
Researchers have discovered XBash, a malware with ransomware, botnet, and coin-mining functionalities. According to their research, XBash abuses weak passwords and unpatched vulnerabilities and is capable of spreading rapidly within an organization’s network. Researchers found that XBash targets Linux-based systems specifically for its ransomware and botnet capabilities, and targets Microsoft Windows-based systems primarily for its coin-mining and self-propagating capabilities. While XBash has ransomware functionality, researchers found no evidence to suggest that XBash would restore data after the ransom is paid.
At the time of report, researchers had observed 48 incoming transactions associated with the malware with a total income of 0.964 bitcoins, indicating that victims had paid roughly $6,000 total. XBash was first developed in Python and then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Instead of generating random IP addresses as scanning destinations like many other botnets, XBash instead retrieves both IP addresses and domain names from its C2 servers for service probing and exploiting. XBash can also scan for vulnerable servers within an enterprise intranet; however, researchers have only observed this functionality in collected samples and have yet to see it in action.
Perchy monitors many marketplaces for threat leads, and a compromised ATM for rent caught our eye. Lampeduza, aka BigPetya, a member of multiple underground forums, is selling access to an ATM belonging to a Nigerian bank for $25,000. The actor is also selling access to three different company websites. The first is californiaoliveranch.com, an online store linked to 1,000 PCs, available for the price $5,000. The second is dizucar.com, a company with 500-900 connected computers and a server, available for $4,000, and the last is www.enel.com, available for $10,000. Compromised sites are often leveraged in other attacks. If you start to see these domains pop up in your logs you may want to take a closer look even though the sites appear legitimate and do not have a negative reputation.