Chinese Cybercrime Group Launches Destructive Malware Family

Uploaded on 2018-09-24 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A prolific cybercrime group known as Iron Group is actively developing a new family of destructive malware that pretends to ask for ransom, but in fact steals and deletes victims’ data as it self-propagates itself on a quest for the next target. Also known as Rocke, the criminals are a Chinese-speaking hacking group that has grown in notoriety this year for its use of crypto-jacking malware that leverages a backdoor from HackingTeam’s leaked code.

Researchers from numerous cybersecurity firms have pointed to Iron as a threat that has to be followed because they’re continuously updating and adding new featuring to malware that’s regularly exploring new attack vectors. Palo Alto Networks researchers have announced a new finding: Iron developed a new malware family, Xbash, that self-propagates and appears to destroy a victim’s data.

Ransomware and crypto-jacking, Iron’s previous methods of attack, are much more obvious ways to regular profits. It’s not clear why the group would pivot to destructive malware.

“We agree that it seems odd,” said Jen Miller-Osborn, Deputy Director of Threat Intelligence (Unit 42) at Palo Alto Networks. “Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). 

“It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”

The malware logs into a victim’s databases, deletes almost everything, creates a new database named “PLEASE_READ_ME_XYZ” and offers a ransom message demanding 0.02 BTC to recover the deleted data.  But, there is no evidence attackers are actually returning any data and, researchers said, no evidence that the malware is even capable of backing up the deleted data at all.

Researchers describe Xbash as “a combination of botnet and ransomware” aimed at “discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

Some functionality, including the ability to scan for vulnerable servers within an enterprise Intranet, have not yet been enabled.
Just 48 incoming transactions worth 0.964 bitcoins have been observed so far, a take worth about $6,000 USD right now.

CyberScoop

You Might Also Read: 

Cybercrime Costs Over $600 Billion Annually:

 

 

« British Government Is Planning Internet Regulation
White House To Step Up Cyber Counter-Offensive »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Virus Bulletin

Virus Bulletin

Virus Bulletin is an online security information portal and certification body, providing users with independent intelligence about the latest developments in the global threat landscape.

Backup Technology

Backup Technology

Backup Technology is a world leader in the Online Cloud Backup, Disaster Recovery and Business Continuity market.

Cybertrust Japan

Cybertrust Japan

Cybertrust Japan provides a comprehensive security certification and digital authentication service, enabling customers to build and manage highly secure IT infrastructures.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

Cimcor

Cimcor

Cimcor’s flagship software product, CimTrak, helps organizations to monitor and protect a wide range of physical, network and virtual IT assets in real-time.

TitanHQ

TitanHQ

TitanHQ offers ultimate protection from internet based threats and powerful Web filtering functionalities to SMBs, Service Providers and Education sectors around the World.

Watchdata Technologies

Watchdata Technologies

Watchdata Technologies is a pioneer in digital authentication and transaction security.

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

Jamf

Jamf

Jamf is the only Apple Enterprise Management solution of scale that remotely connects, manages and protects Apple users, devices and services.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

CyberHub

CyberHub

CyberHub is an educational platform that offers professional courses and knowledge sharing through articles and videos to help students discover their potential in cybersecurity.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.

Cyro Cyber

Cyro Cyber

Cyro Cyber is a collective of some of the UK’s most experienced and savvy cybersecurity, information assurance, data protection, IT governance and compliance experts.

Atlantica Digital

Atlantica Digital

Atlantica design and create highly innovative software solutions and solid, scalable and secure IT infrastructures for a constantly evolving market.

Ory Corp

Ory Corp

Ory's IAM/CIAM solutions are designed to empower businesses with the tools they need to protect their users, services and things, and maintain compliance.