AT&T Alien Labs: There is a new form of malware, Xwo, that is scanning Internet for exposed web services and default passwords. It’s related to MongoLock and Xbash families
Xwo is a new form of malware on the wild that is scanning Internet to find exposed web services and default passwords. The malicious code has been discovered by At&T Alien Labs cyber security experts, who believe it could have been employed for a huge reconnaissance operation, that prelude a larger cyber attack. Moreover, it’s probably related to MongoLock and Xbash families. According to the company’s blog, the first one is a ransomware that wipes MongoDB servers and demands a ransom paid to the attackers to recover their database. Both Xwo and MongoLock use similar Python-based code, command and control (“C2”) domain naming, and have an overlap in C2 infrastructure. Unlike MongoLock, the new malware does not have any ransomware or exploitation capabilities, but rather sends stolen credentials and service access back to the C2 infrastructure.
The cyber security experts expect that the information staled will be abused for further malicious activity in time. Probably a huge cyber attack
According to the cyber security experts, it is unclear if Xwo relates with same adversary known as “Iron Group”, or if they have repurposed public code. But, what is certain is that the “general use of the malware and the potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future. Network owners should avoid the use of default service credentials and ensure publicly accessible services are restricted when possible. We are unable to assess what exactly the operators behind Xwo will use this information for, but based on links to MongoLock and Xbash we expect it to be abused for further malicious activity in time.”