New Version of Xbash Malware Targets Cloud Security Programs

New Version of Xbash Malware Targets Cloud Security Programs

Palo Alto Networks’ cyberthreat intelligence team, Unit 42, recently unearthed a new malware related to the Linux cryptocurrency mining malware Xbash. Discovered last year, Xbash targets Linux servers and deletes Linux databases while also mining systems for cryptocurrency. Threat actor group Rocke, apparently associated with the Iron cybercrime group, developed Xbash and this latest malware. Unit 42’s report on the new malware revealed that it was capable of removing cloud security products from the user’s computer. Specifically, it can deactivate programs released by Tencent Cloud and Alibaba Cloud.

Rather than attack the security software, the malware follows Tencent and Alibaba’s instructions for uninstalling the programs. These instructions are publicly available on Tencent’s and Alibaba’s websites. Once the security programs have been uninstalled, the malware then proceeds to mine Monero cryptocurrency from infected machines. Unit 42 believes that this is the first malware to specifically target cloud security programs. They are currently working with Tencent and Alibaba to address security concerns caused by this malware.

According to Unit 42, malware creators realize that agent-based security programs may be able to detect malware invasions. Thus, they are focusing on discovering new ways to avoid detection by monitors in order to gain access to systems. Unit 42 concluded their report by saying, “The variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.”

The Rocke group focuses on Monero cryptomining and was first seen operating in 2018. They are one of several cryptomining malware developers to come out as illegal cryptomining becomes more and more popular. Unit 42’s analysis shows that Xbash and the new malware are still under active development. It is likely that Rocke is going to expand their malware to target other cloud security providers. Unit 42 provides ways for clients to protect themselves from Xbash in their initial report on the malware.

Check us out on Twitter for the latest in Enterprise Cloud news and developments!

Daniel Hein