Xwo botnet scans for exposed web services and default passwords

A newly discovered botnet dubbed Xwo has been scanning the internet for exposed web services and default passwords. The malware was discovered by AT&T’s Alien Labs back in March and is related to malware families MongoLock and Xbash.

Security researchers Jaime Blasco and Chris Doman of Alien Labs said that the Xwo malware name was derived from a module that was served via a server that hosts a file name called xwo.exe.

Xwo appears to share similar Python-based code and command-and-control (C2) domain naming conventions with MongoLock, as ransomware known to wipe MongoDB servers and demands ransom payments to restore the victim’s database.

In the case of Xwo, however, the malware does not use ransomware to exploit its victims. Instead it steals and sends credentials back to its C2 infrastructure, Alien Labs said in the blog post.

A python script used by Xwo also contains the same code from XBash malware.

It is also interesting to note the entity behind the Xwo C2 infrastructure follows similar patterns using domains imitating security and news organizations, as well as security websites (such as rapid7.com, pcrisk.com), but uses a different top level domain (TLD) of “.tk“.

Alien Labs provided some examples of what Xwo scans for:

  • Use of default credentials in FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached.
  • Tomcat default credentials and misconfigurations.
  • Default SVN and Git paths.
  • Git repositoryformatversion content.
  • PhpMyAdmin details.
  • Www backup paths.
  • RealVNC Enterprise Direct Connect.
  • RSYNC accessibility.

The results of the scans are sent back to the attackers for future malicious deeds. Administrators should always make sure default credentials are never used and restrict publicly-facing services wherever possible.

Alien Labs concludes by saying the Xwo potential “can be damaging for networks around the globe.”