Security researchers recently discovered a new tool that is actively scanning for exposed web services and default passwords.
The researchers dubbed the malicious tool “Xwo”. The name is taken from its primary module name. Xwo is most likely related to previously discovered malware families Xbash and MongoLock.
How was the Xwo malware discovered? What is Xwo?
Alien Labs researchers first noticed Xwo being served from a server dropping a file named xwo.exe.
In short, the Xwo malware is a Python-based bot scanner created for the purpose of reconnaissance. Based on IP ranges received from a command and control server, the malware sifts for default passwords for services, reporting back the results. Xwo may not be necessarily malicious but it is being deployed for such purposes.
Xwo’s associations with MongoLock and Xbash
MongoLock targeted MongoDB databases which had no protection and had remote access left open. MongoLock wiped these databases and used extortion tactics to try and trick the victim parties to pay a ransom fee for supposedly recovering their compromised data.
Researchers say that both Xwo and MongoLock utilize similar Python-based code, command and control domain naming, and have an overlap in command and control server infrastructure.
The difference between the two is that Xwo does not have any ransomware or exploitation capabilities, but rather sends stolen credentials and service access back to the command and control infrastructure.
The Xbash malware strain combines characteristics of four malware categories – ransomware, botnet, worm, and crypto miners. According to researchers from Palo Alto Networks’ Unit 42, Xbash’s ransomware and botnet capabilities are aimed at Linux systems where the malware is instructed to delete databases. As for Windows, Xbash is used for cryptomining purposes and self-propagation, leveraging known security vulnerabilities in Hadoop, Redis, and ActiveMQ services.
It appears that the python script of Xwo contains code copied from XBash.
As of this report, it is unclear if Xwo relates with same adversary known as “Iron Group”, or if they have repurposed public code. Based on our research to date, a potential relationship may existbetween Iron Cybercrime Group and Rocke. We are unable to assess the relationship with acceptable confidence as of this report, researchers said.
Further Xwo specifications
After it’s executed, Xwo is set to perform an HTTP POST request with a random User-Agent from a hardcoded list of choices. The malware then receives instructions from the command and control domain with an encoded public network range to scan. It’s noteworthy that “the IP range supplied by the C2 infrastructure is base64 encoded and zlib compressed”.
The command and control infrastructure of Xwo is associated with MongoLock. Specific patterns are followed in terms of registering domains mimicking security and news organizations and websites such as Rapid7 (rapid7.com), PCRisk (pcrisk.com), and ProPublica’s onion site (propub3r6espa33w.onion) but with .tk TLDs.
Xwo will also scan the network range made available by the command and control server. Next is reconnaissance activity with the purpose of collecting information on available services. Researchers believe that the threat actors collect this information for later use.
Collected information includes:
– Use of default credentials in FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached.
– Tomcat default credentials and misconfigurations.
– Default SVN and Git paths.
– Git repositoryformatversion content.
– PhpMyAdmin details.
– Www backup paths.
– RealVNC Enterprise Direct Connect.
– RSYNC accessibility.
In conclusion, Xwo appears to be a new step towards an advancing capability, and researchers expect the full value of the reconnaissance tool to be acted on in future attacks.