Xbash Malware Targets Windows and Linux with Ransomware and Cryptomining

Satnam Narang

Newly identified Xbash malware is targeting weak passwords and unpatched vulnerabilities on Linux and Windows systems to launch ransomware or cryptomining attacks.


Unit 42, Palo Alto Network’s research team, recently blogged about a new malicious software (malware) family it’s calling Xbash. This newly identified malware targets Linux and Windows systems that have weak passwords and unpatched vulnerabilities.

On Linux systems, Xbash will identify and delete MySQL, MongoDB and PostgreSQL databases and then seek ransom payment from victims. On Windows systems, it will initiate cryptomining and self-propagate. Organizations should be aware Xbash has no functionality to restore the deleted databases, so there is no use in paying the ransom.

Vulnerability details

Xbash targets two unpatched vulnerabilities and one patched vulnerability. The first unpatched vulnerability is an unauthenticated command execution vulnerability in Apache Hadoop YARN, which was first discovered in October 2016 but has no CVE. The second unpatched vulnerability is a remote code execution vulnerability in Redis, which was first discovered in November 2015 and also has no CVE. Lastly, the patched vulnerability, CVE-2016-3088, is an arbitrary file write vulnerability in Apache ActiveMQ.

Urgently required actions

To protect against the Xbash malware, we advise organizations to ensure they’re using strong and unique passwords across the board. Because two vulnerabilities remain unpatched, it is important to identify vulnerable assets and ensure they’re protected by an endpoint security product. As there is a patch available for Apache ActiveMQ, organizations should ensure they’re applying patches regularly. Finally, because Xbash targets and deletes databases, organizations should back up databases regularly and segregate them from other systems on the network.

Identifying affected systems

Tenable has the following plugins available to scan for applications targeted by the Xbash malware family.

Plugin ID



Redis Server Unprotected by Password Authentication


Redis Server Detection


Apache ActiveMQ 5.x < 5.14.0 ActiveMQ Fileserver web application remote code execution (Xbash)


Apache Hadoop YARN ResourceManager Unauthenticated RCE (Remote)

Get more information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Sep 19, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.