New ‘Xwo’ Malware Looks for Exposed Services, Default Passwords

A recently identified malware family is actively scanning the Internet for exposed web services and default passwords, AT&T Alien Labs reports.

The firm that resulted from AT&T’s acquisition of AlienVault calls the new malware Xwo, based on the name of the threat’s primary module.

Likely related to the Xbash and MongoLock malware families, the threat was observed being served under the name of xwo.exe.

Xwo, AT&T Alien Labs’ security researchers say, uses Python-based code similar to that of MongoLock, a piece of ransomware that wipes MongoDB servers and demands that admins pay a ransom to recover their data.

Additionally, both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure.

Xwo, however, does not include ransomware or exploitation capabilities, but only gathers credentials and service access information and sends all data back to the C&C.

The researchers also discovered that the Xwo’s Python script contains code copied from XBash, the destructive Linux malware that targets enterprise intranets and which is believed to be connected to the Iron Group threat actor.

At the moment, Alien Labs is uncertain whether Xwo is related to the Iron Group as well, or if it only uses code that has been shared publicly.

Upon execution, Xwo connects to the C&C server and then starts scanning a network range provided by the server to start its reconnaissance activity and send gathered data to the attackers.

It collects information on the use of default credentials for FTP, MySQL, PostgreSQL, MongoDB, Redis and Memcached services; Tomcat default credentials and misconfigurations; default SVN and Git paths; Git repositoryformatversion content; PhpMyAdmin details; www/backup paths; RealVNC Enterprise Direct Connect details; and RSYNC accessibility.

“While Xwo steps away from a variety of malicious features […], such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future,” Alien Labs concludes.

Related: Xbash Malware Uninstalls Cloud Security Products

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *