Threat Report

In this week’s threat report we’re covering two stories, the discovery of XBash malware and an unground marketplace offering a compromised bank ATM and three different companies’ company websites for sale.

XBash Malware Discovered

Researchers have discovered XBash, a malware with ransomware, botnet, and coin-mining functionalities. According to their research, XBash abuses weak passwords and unpatched vulnerabilities and is capable of spreading rapidly within an organization’s network. Researchers found that XBash targets Linux-based systems specifically for its ransomware and botnet capabilities, and targets Microsoft Windows-based systems primarily for its coin-mining and self-propagating capabilities. While XBash has ransomware functionality, researchers found no evidence to suggest that XBash would restore data after the ransom is paid.

At the time of report, researchers had observed 48 incoming transactions associated with the malware with a total income of 0.964 bitcoins, indicating that victims had paid roughly $6,000 total. XBash was first developed in Python and then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Instead of generating random IP addresses as scanning destinations like many other botnets, XBash instead retrieves both IP addresses and domain names from its C2 servers for service probing and exploiting. XBash can also scan for vulnerable servers within an enterprise intranet; however, researchers have only observed this functionality in collected samples and have yet to see it in action.

paloaltonetworks

Recommendations:

• Blocks emails from:
  • backupdatabase@pm[.]me
  • backupsql@pm[.]me
  • backupsql@protonmail[.]com
• Using strong, non-default passwords
• Keeping up-to-date on security updates
• Implement endpoint security on Microsoft Windows and Linux systems
• Prevent access to unknown hosts on the internet (to prevent access to command and control servers)
• Implement and maintaining rigorous and effective backup and restoration processes and procedures.

Emerald Magpie Offers Compromised ATM for Sale

Perchy monitors many marketplaces for threat leads, and a compromised ATM for rent caught our eye. Emerald Magpie (aka FXMSP, Lampeduza, or BigPetya) is selling access to an ATM belonging to a Nigerian bank for $25,000. The group is also selling access to three different company websites. The first is californiaoliveranch.com, an online store linked to 1,000 PCs, available for the price $5,000. The second is dizucar.com, a company with 500-900 connected computers and a server, available for $4,000, and the last is www.enel.com, available for $10,000. Compromised sites are often leveraged in other attacks. If you start to see these domains pop up in your logs you may want to take a closer look even though the sites appear legitimate and do not have a negative reputation.

Emerald Magpie is a Russian- and English-speaking cyber-criminal group selling network access to a wide variety of financial, e-commerce, industrial organizations, and governmental institutions globally. Emerald Magpie has demonstrated a willingness to work with Russian Security Services, selling them access to targets of interest and trading for zero-day exploits.

Recommendations:

• Monitor your ATM network and system activity for signs of compromise and infection.
• Monitor these domains and IPs for phishing, scanning, or malware hosting activities.
  • dizucar[.]com - 108.178.54.58
  • www[.]enel[.]com - 107.154.108.99
  • californiaoliveranch[.]com - 104.196.229.107

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Tuesday September 11th 2018