From securityaffairs.co
Researchers at AT&T Alien Labs have spotted a malware called
Xwo that is actively scanning the Internet for exposed web services and default passwords.
Experts at AT&T Alien Labs discovered a new piece of malware called
Xwo that is actively scanning the Internet for exposed web services and default passwords.
The name ‘Xwo‘ comes from the main module of the Python-based malware, the malicious code is served as xwo.exe.
“Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords.” reads the post published by Alien Labs.
“Based on our findings we are calling it “Xwo” – taken from its primary module name. It is likely related to the previously reported malware families Xbashand MongoLock.”
Xwo code is similar to that the MongoLock, a family of ransomware that hit MongoDB servers and wipetheir content, then demands the payment a ransom to recover the data.
Experts also observed that both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure. Xwo, unlike MongoLock, does not implement any ransomware or exploitation capabilities, the malware acts as an info stealer and sends stolen credentials and service access back to the C2 infrastructure.
Experts also discovered that the Xwo’s Python script borrows code from XBash. XBash was discovered by Palo Alto Networks in September 2018, it targets both Linux and Microsoft Windows servers.