Xwo – A Python-Based Bot Scanner (Apr 2, 2019)
A new malware family, dubbed “Xwo,” has been found to be utilized by threat actors by distributing a file called “xwo.exe” from a Command and Control (C2) server. Xwo is a scanner that is capable of sending stolen credentials back to a C2 server. The malware was found to share similarities in code and infrastructure with the “MongoLock” ransomware, although Xwo has no ransomware or exploit capabilities. Once Xwo has infected a machine, it will conduct an HTTP POST request using a User-Agent from a hardcoded list, and then will receive instructions from a C2 domain containing an encoded public network range to scan and gather information on. Xwo will gather data such as default credentials and SVN and Git paths, PhpMyAdmin details, use of default credentials for FTP, Memcached, MongoDB, MySQL, PostgreSQL, and Redis, among other data. Researchers believe that while this malware does not have malicious features such as ransomware or exploit capabilities, the actors behind Xwo will utilize the information gathered in the future.
Recommendation: It is not uncommon for threat groups to conduct automated attacks against devices that still use default credentials or have publicly-known vulnerabilities associated to them. In this case, the actors behind this campaign are likely gathering data for future attacks, therefore it is crucial that all internet-facing applications and software in use by your company have complex passwords to avoid potential brute force attacks.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.