XBash

XBash malware is a botnet with self-propagating capabilities that spreads ransomware and malicious cryptomining. The initial infection happens by infiltrating systems with weak passwords and a long list of unpatched vulnerabilities. On Linux systems, the ransomware deletes found databases and leaves a note requesting ransom payment. The malware currently doesn’t seem to have any functionality which will actually restore the deleted data. On Windows systems, the malicious coinminer is dropped and executed.

Umbrella blocks the domains that are tied to malicious files as well as IP addresses associated with command and control callbacks. Umbrella uses AV engines and Cisco Advanced Malware Protection (AMP) to block malicious files before they're downloaded. AMP detects XBash malware as Win.Worm.Xbash!1.B438 (Windows version) and Trojan.Linux.Agent.gf (Linux version) and Umbrella proactively blocks the threat.

3g2upl4pq6kufc4m[.]tk, d3goboxon32grk2l[.]tk, daknobcq4zal6vbm[.]tk, e3sas6tzvehwgpak[.]tk, png.realtimenews[.]tk, xmr.enjoytopic[.]tk, Bitcoinwallet8[.]com, blockchaln[.]info, enjoytopic[.]com, onion[.]today, realnewstime[.]xyz, sw5y[.]com, swb[.]one, tor2web[.]us, ejectrift.censys[.]xyz, scan.censys[.]xyz, api.leakingprivacy[.]tk, news.realnewstime[.]xyz, scan.realnewstime[.]xyz, news.realtimenews[.]tk, scanaan[.]tk, scan.vfk2k5s5tfjr27tz[.]tk, scan.blockbitcoin[.]tk, blockbitcoin[.]com, 142.44.215[[.]]177, 144.217.61[[.]]147