LTS Secure Warning: New Xbash Malware is a Cocktail of Malicious Functions

Xbash malware has strong intrusion capabilities, especially using ransomware and coin mining along with the self-replicative function to propagate across the infected network to compromise the vulnerable system.

It also targets the Linux-based databases to attack using its ransomware and botnet capabilities, but it won’t restore the infected files after victims paid the ransom, which means that it posed as ransomware but actually destruct the infected machine data.

Technical Details

The researchers named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously spreading malicious Crypto-miners by Iron cyber criminals mainly targeting the windows machine and very few Linux based Database but current Xbash malware targeting the unprotected services to delete the victim’s MySQL, PostgreSQL and MongoDB databases.


Xbash initial stage of attack starts by scanning the vulnerable Redis services to find out whether the target running on Windows or not. Once it figures it out that the target is windows then it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.

The researcher said, “PyInstaller’s code compilation, code compression/conversion, and optional code encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis.”

Scanning And Exploitation

Unlike other botnets like Mirai and Gafgyt, Xbase malware not only scan the IP address, but it extending the targets to public websites by targeting domains as well as IP addresses. During the scanning process, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute force.

Once Xbash malware successfully finds the specific open ports weak credentials or exploitable, unpatched vulnerability then it will report to the attacker via command and control server.

Recommend Actions

Best practice to protect enterprise systems from these kinds of threats.

  • Frequently change your passwords and make them complicated, from the gateway to the endpoint. Practice good password hygiene, and avoid reusing credentials on multiple user accounts.
  • Regularly install system updates and patches for your systems once released by legitimate vendors.
  • Regularly back up your files. Practice the 3-2-1 system to minimize or mitigate data loss.

For more security advisory, visit at Xbash Malware.

LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013