Xbash Malware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

The name of the new beast is Xbash and it looks for systems protected by a weak password and machines that run with unpatched known vulnerabilities.

Security researchers from Palo Alto Networks’ Unit 42 analyzed Xbash and noticed that its ransomware and botnet talents are reserved for Linux systems, with clear instructions to delete databases; while the malware’s activity on Windows machines is limited to cryptocurrency mining and self-propagation routines that exploit known security bugs in Hadoop, Redis, and ActiveMQ services.

Xbash’s ransomware ability is just for show, researchers say, because the malware does not have the ability to restore the database after its operators receive the ransom. The malware discovers unprotected services and deletes MySQL, PostgreSQL and MongoDB databases.

Xbash is developed in Python and then converted to Portable Executable (PE) format using PyInstaller. This tactic has multiple advantages that help with evading detection, assuring installation and execution on a variety of Linux instances, and the possibility to create binaries for Windows, Linux, and macOS.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Xbash malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

 

CVE-2018-12848

Threat Meter

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

These are the following affected versions:

Product Track Affected Versions Platform Priority rating
Acrobat DC Continuous 2018.011.20058 and earlier versions Windows and macOS 2
Acrobat Reader DC Continuous 2018.011.20058 and earlier versions Windows and macOS 2
Acrobat 2017 Classic 2017 2017.011.30099 and earlier versions Windows and macOS 2
Acrobat Reader 2017 Classic 2017 2017.011.30099 and earlier versions Windows and macOS 2
Acrobat DC Classic 2015 2015.006.30448 and earlier versions Windows and macOS 2
Acrobat Reader DC Classic 2015 2015.006.30448 and earlier versions Windows and macOS 2

Source: Adobe

How do you protect yourself?

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2018.011.20063 Windows and macOS 2 Windows
macOS
Acrobat Reader DC Continuous 2018.011.20063 Windows and macOS 2 Windows
macOS
Acrobat 2017 Classic 2017 2017.011.30102 Windows and macOS 2 Windows
macOS
Acrobat Reader DC 2017 Classic 2017 2017.011.30102 Windows and macOS 2 Windows
macOS
Acrobat DC Classic 2015 2015.006.30452 Windows and macOS 2 Windows
macOS
Acrobat Reader DC Classic 2015 2015.006.30452 Windows and macOS 2 Windows
macOS

 

Fbot Botnet

Threat Meter

 

A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware.

The researchers say that Fbot appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner.

The way Fbot and ADB spread is very similar. Port TCP 5555 is scanned and, if open, a payload executes scripts which download and execute malware, as well as establish a channel to the operator’s command and control (C2) server.

However, in Fbot’s case, the payload uninstalls ADB mining scripts and cleans the system. After the botnet has tracked down ADB malware processes, killed them, and scrubbed away any trace of the former infection, the botnet deletes itself.

Fbot is a highly unusual botnet variant. However, it may not be a good-guy vigilante at work simply seeking to clean up our infected systems.

An alternative reason for the botnet’s cleaning duties may be to wipe away the competition and infect devices with its own cryptojacking scripts or malware in the future. Either way, Fbot is a botnet worth keeping an eye on.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Fbot botnet and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.