Chinese Cybercrime Group Launches Destructive Malware Family

A prolific cybercrime group known as Iron Group is actively developing a new family of destructive malware that pretends to ask for ransom, but in fact steals and deletes victims’ data as it self-propagates itself on a quest for the next target. Also known as Rocke, the criminals are a Chinese-speaking hacking group that has grown in notoriety this year for its use of crypto-jacking malware that leverages a backdoor from HackingTeam’s leaked code.

Researchers from numerous cybersecurity firms have pointed to Iron as a threat that has to be followed because they’re continuously updating and adding new featuring to malware that’s regularly exploring new attack vectors. Palo Alto Networks researchers have announced a new finding: Iron developed a new malware family, Xbash, that self-propagates and appears to destroy a victim’s data.

Ransomware and crypto-jacking, Iron’s previous methods of attack, are much more obvious ways to regular profits. It’s not clear why the group would pivot to destructive malware.

“We agree that it seems odd,” said Jen Miller-Osborn, Deputy Director of Threat Intelligence (Unit 42) at Palo Alto Networks. “Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). 

“It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”

The malware logs into a victim’s databases, deletes almost everything, creates a new database named “PLEASE_READ_ME_XYZ” and offers a ransom message demanding 0.02 BTC to recover the deleted data.  But, there is no evidence attackers are actually returning any data and, researchers said, no evidence that the malware is even capable of backing up the deleted data at all.

Researchers describe Xbash as “a combination of botnet and ransomware” aimed at “discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

Some functionality, including the ability to scan for vulnerable servers within an enterprise Intranet, have not yet been enabled.
Just 48 incoming transactions worth 0.964 bitcoins have been observed so far, a take worth about $6,000 USD right now.

CyberScoop

You Might Also Read: 

Cybercrime Costs Over $600 Billion Annually:

 

 

« British Government Is Planning Internet Regulation
White House To Step Up Cyber Counter-Offensive »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

F-Response

F-Response

F-Response is a software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tools of choice.

Teradata

Teradata

Teradata is a leading provider of enterprise big data analytics and services. Applications include Cyber Security Analytics.

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab conducts research into predictive security analytics.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

European Cyber Security Organisation (ECSO)

European Cyber Security Organisation (ECSO)

The main objective of ECSO is to support all types of initiatives or projects that aim to develop, promote and encourage European cybersecurity.

Bastille

Bastille

Bastille’s patented software and security sensors bring visibility to devices emitting radio signals (Wi-Fi, cellular, IoT) in your organization.

Global Learning Systems (GLS)

Global Learning Systems (GLS)

Global Learning Systems provides security awareness and compliance training programs for employees that effectively promote behavior change and protect your organization.

Computer Network Defence (CND)

Computer Network Defence (CND)

Computer Network Defence (CND) are a Broad-Spectrum Cyber Security Consultancy and Recruitment Agency.

MythX

MythX

MythX is the premier security analysis service for Ethereum smart contracts.

CyCraft Technology Corp

CyCraft Technology Corp

CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration.

Arqit Quantum

Arqit Quantum

Arqit's mission is to use transformational quantum encryption technology to keep safe the data of our governments, enterprises and citizens.

FortKnoxster

FortKnoxster

FortKnoxster is a cybersecurity company within the Crypto & FinTech space. Our encryption technologies are blockchain integrated.

Computer Services Inc (CSI)

Computer Services Inc (CSI)

CSI is a leading fintech, regtech and cybersecurity solutions partner operating at the intersection of innovation and service.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

VMware

VMware

VMware is a leading provider of multi-cloud services for all apps, enabling digital innovation with enterprise control.

Hexagon

Hexagon

Hexagon is a global leader in digital reality solutions. We are putting data to work to boost efficiency, productivity, quality and safety.