Chinese Cybercrime Group Launches Destructive Malware Family

Uploaded on 2018-09-24 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A prolific cybercrime group known as Iron Group is actively developing a new family of destructive malware that pretends to ask for ransom, but in fact steals and deletes victims’ data as it self-propagates itself on a quest for the next target. Also known as Rocke, the criminals are a Chinese-speaking hacking group that has grown in notoriety this year for its use of crypto-jacking malware that leverages a backdoor from HackingTeam’s leaked code.

Researchers from numerous cybersecurity firms have pointed to Iron as a threat that has to be followed because they’re continuously updating and adding new featuring to malware that’s regularly exploring new attack vectors. Palo Alto Networks researchers have announced a new finding: Iron developed a new malware family, Xbash, that self-propagates and appears to destroy a victim’s data.

Ransomware and crypto-jacking, Iron’s previous methods of attack, are much more obvious ways to regular profits. It’s not clear why the group would pivot to destructive malware.

“We agree that it seems odd,” said Jen Miller-Osborn, Deputy Director of Threat Intelligence (Unit 42) at Palo Alto Networks. “Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). 

“It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”

The malware logs into a victim’s databases, deletes almost everything, creates a new database named “PLEASE_READ_ME_XYZ” and offers a ransom message demanding 0.02 BTC to recover the deleted data.  But, there is no evidence attackers are actually returning any data and, researchers said, no evidence that the malware is even capable of backing up the deleted data at all.

Researchers describe Xbash as “a combination of botnet and ransomware” aimed at “discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

Some functionality, including the ability to scan for vulnerable servers within an enterprise Intranet, have not yet been enabled.
Just 48 incoming transactions worth 0.964 bitcoins have been observed so far, a take worth about $6,000 USD right now.

CyberScoop

You Might Also Read: 

Cybercrime Costs Over $600 Billion Annually:

 

 

« British Government Is Planning Internet Regulation
White House To Step Up Cyber Counter-Offensive »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Cloud Foundry Foundation (CFF)

Cloud Foundry Foundation (CFF)

Cloud Foundry supports the full application development lifecycle, from inception, through all testing stages, to deployment.

Assuria

Assuria

Assuria Cyber Security solutions provide protective monitoring of systems and user activity across the whole IT infrastructure.

Konfidas

Konfidas

Konfidas provide high-level cybersecurity consulting and professional tailored solutions to meet specific cybersecurity operational needs.

CSIRT Malta

CSIRT Malta

CSIRT Malta supports critical infrastructure organisations in Malta on how to protect their information infrastructure assets and systems from cyber threats and incidents.

EIT Digital

EIT Digital

EIT Digital is a leading digital innovation and entrepreneurial education organisation driving Europe’s digital transformation. Areas of focus include digital infrastructure and cyber security.

Cyberkov

Cyberkov

Cyberkov services include Pentesting, Vulnerability Assessments, Digital Forensics, Incident Response, Source Code Analysis and Security Training.

Slovenska Akreditacija (SA)

Slovenska Akreditacija (SA)

Slovenska Akreditacija is the national accreditation body for Slovenia. The directory of members provides details of organisations offering certification services for ISO 27001.

German Israeli Partnership Accelerator (GIPA)

German Israeli Partnership Accelerator (GIPA)

GIPA is based on two pillars: it is an incubator aimed at young academics and a program to transfer cybersecurity expertise to corporate partners.

Base Cyber Security

Base Cyber Security

Base Cyber Security is an information and cyber security talent service provider and career specialist.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

FAIR Institute

FAIR Institute

The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.

Kocho

Kocho

Kocho (formerly TiG) is a provider of identity and access, cyber security, cloud transformation, and managed IT services.

Yogosha

Yogosha

Yogosha is a crowdsourced cybersecurity platform enabling a win-win collaboration with the most talented hackers to detect and fix vulnerabilities on your most critical systems.

Valeo Nertworks

Valeo Nertworks

Valeo Nertworks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.