Newly discovered malware ‘Xwo’ scans for default credentials and exposed web services

• This malware is related to two other malware families namely MongoLock ransomware and XBash.
• This malware does not include any ransomware or exploitation capabilities.

What is the issue - Researchers from AT&T Alien Labs spotted a new malware dubbed ‘Xwo’ which is capable of scanning for default credentials and exposed web services.

Why it matters - This malware is related to two other malware families namely MongoLock ransomware and XBash.

Worth noting - This malware does not include any ransomware or exploitation capabilities.

More details on the malware

• Researchers detected Xwo being served from a server with a file named xwo.exe.
• Upon execution, the malware performs an HTTP POST request with a random User-Agent from a hardcoded list of choices.
• It then receives instructions from its C&C server with an encoded public network range to scan.
• After scanning for services and collecting information, it sends back the collected information to its C&C server via an HTTP POST request.

What type of information is collected?

After scanning the network range provided by its C&C server, it starts collecting information from the available services such as,

• Information on the use of default credentials in FTP, MySQL, PostgreSQL, MongoDB, Redis, and Memcached
• Information on Tomcat default credentials and misconfigurations
• Details on Default SVN and Git paths
• Git repository format, version, content
• PhpMyAdmin details
• Www backup paths
• RealVNC Enterprise Direct Connect details
• RSYNC accessibility information

“While Xwo steps away from a variety of malicious features observed the entity using, such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future,” researchers said.

What you should do?

• Researchers recommend network owners to avoid the use of default service credentials.
• Further, they should ensure that publicly accessible services are restricted when possible.

“We are unable to assess what exactly the operators behind Xwo will use this information for, but based on links to MongoLock and XBash we expect it to be abused for further malicious activity in time,” researchers concluded.