Pierluigi Paganini April 05, 2019

Researchers at AT&T Alien Labs have spotted a malware called
Xwo that is actively scanning the Internet for exposed web services and default passwords.

Experts at AT&T Alien Labs discovered a new piece of malware called
Xwo that is actively scanning the Internet for exposed web services and default passwords.

The name ‘Xwo‘ comes from the main module of the Python-based malware, the malicious code is served as xwo.exe.

“Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords.” reads the post published by Alien Labs.

“Based on our findings we are calling it “Xwo” – taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.”

Xwo code is similar to that the MongoLock, a family of ransomware that hit MongoDB servers and wipe their content, then demands the payment a ransom to recover the data.

Experts also observed that both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure. Xwo, unlike MongoLock, does not implement any ransomware or exploitation capabilities, the malware acts as an info stealer and sends stolen credentials and service access back to the C2 infrastructure.

Experts also discovered that the Xwo’s Python script borrows code from XBash. XBash was discovered by Palo Alto Networks in September 2018, it targets both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

The malware was attributed to a popular crime gang tracked as the Iron Group. The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

Anyway, at the time of writing, Alien Labs did not attribute Xwo to the Iron Group.

Once executed, Xwo connects to the C&C server and receives instructions to scan a specific network range provided. It starts the scans and send collected data back to the attackers.

“First Xwo scans the network range provided by the command and control server. It then commences reconnaissance activity to collect information on available services.” continues the analysis. “We assess the adversary collects this information for later use by the attacking entity. Collected information includes:

• Use of default credentials in FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached.
• Tomcat default credentials and misconfigurations.
• Default SVN and Git paths.
• Git repositoryformatversion content.
• PhpMyAdmin details.
• Www backup paths.
• RealVNC Enterprise Direct Connect.
• RSYNC accessibility.”

Experts warn of potential damages that the malware can cause to networks around the globe.

“While Xwo steps away from a variety of malicious features observed the entity using, such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future.” concludes the experts.

Pierluigi Paganini

(SecurityAffairs – Xwo, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]