Chinese Cybercrime Group Launches Destructive Malware Family

Uploaded on 2018-09-24 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A prolific cybercrime group known as Iron Group is actively developing a new family of destructive malware that pretends to ask for ransom, but in fact steals and deletes victims’ data as it self-propagates itself on a quest for the next target. Also known as Rocke, the criminals are a Chinese-speaking hacking group that has grown in notoriety this year for its use of crypto-jacking malware that leverages a backdoor from HackingTeam’s leaked code.

Researchers from numerous cybersecurity firms have pointed to Iron as a threat that has to be followed because they’re continuously updating and adding new featuring to malware that’s regularly exploring new attack vectors. Palo Alto Networks researchers have announced a new finding: Iron developed a new malware family, Xbash, that self-propagates and appears to destroy a victim’s data.

Ransomware and crypto-jacking, Iron’s previous methods of attack, are much more obvious ways to regular profits. It’s not clear why the group would pivot to destructive malware.

“We agree that it seems odd,” said Jen Miller-Osborn, Deputy Director of Threat Intelligence (Unit 42) at Palo Alto Networks. “Though there is no way for the victims to know the attackers did not create copies of their files to return (as it claims to). 

“It’s only once they’ve paid, and the attackers don’t restore the files, that the victims know their files are truly gone. The attackers may be happy enough to make whatever profits they can without the added step of having to store, track, and return the data.”

The malware logs into a victim’s databases, deletes almost everything, creates a new database named “PLEASE_READ_ME_XYZ” and offers a ransom message demanding 0.02 BTC to recover the deleted data.  But, there is no evidence attackers are actually returning any data and, researchers said, no evidence that the malware is even capable of backing up the deleted data at all.

Researchers describe Xbash as “a combination of botnet and ransomware” aimed at “discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for self-propagation or infecting Windows systems.”

Some functionality, including the ability to scan for vulnerable servers within an enterprise Intranet, have not yet been enabled.
Just 48 incoming transactions worth 0.964 bitcoins have been observed so far, a take worth about $6,000 USD right now.

CyberScoop

You Might Also Read: 

Cybercrime Costs Over $600 Billion Annually:

 

 

« British Government Is Planning Internet Regulation
White House To Step Up Cyber Counter-Offensive »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Azeti Networks

Azeti Networks

Azeti Networks is a global provider of IoT technology to a variety of verticals including telecomms, oil/gas, manufacturing, finance and healthcare.

Software Engineering Institute (SEI)

Software Engineering Institute (SEI)

At the CERT Division of SEI we study and solve cybersecurity problems, research security vulnerabilities in software, and develop information and training to help improve cybersecurity.

Deep Instinct

Deep Instinct

Deep Instinct provides comprehensive defense that is designed to protect against the most evasive unknown malware in real-time, across an organization’s endpoints, servers, and mobile devices.

Sonda

Sonda

SONDA is the leading systems integrator and IT service provider in Latin America.

Genians

Genians

Genians provides the industry’s leading Network Access Control (NAC) solution, which ensures full visibility of all IP-enabled devices regardless of whether they are wired, wireless, or virtual.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

Fiserv

Fiserv

Fiserv offers a wide array of Risk & Compliance solutions to help you prevent losses from fraud and ensure adherence to regulatory and compliance mandates.

Talon Cyber Security

Talon Cyber Security

Talon delivers the leading enterprise browser designed to bring security to managed and unmanaged devices, regardless of location, device type or operating system.

ITConnexion

ITConnexion

From cloud migration to ransomware protection, our managed IT services can be customised to address the most prevalent IT issues for your business.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

Superus Careers - Cyber Career Exchange

Superus Careers - Cyber Career Exchange

The Cyber Career Exchange is a specialized recruiting platform focused specifically on cybersecurity.

Celebrus

Celebrus

Celebrus Fraud Data Platform, by D4t4 Solutions, works with existing fraud structures to augment functionality and turn fraud management into true fraud prevention.

Binarly

Binarly

Binarly has developed an AI-powered platform to protect devices against emerging firmware threats.

ImagineX Consulting

ImagineX Consulting

ImagineX Consulting is a cybersecurity-focused boutique technology consultancy whose mission is to help our clients #BeBetter by reducing their corporate risk.

Acumen

Acumen

Acumen's cyber security engineers protect your critical systems, in critical moments. We are here when you need us most.