Connect with us

Hi, what are you looking for?



New ‘Xwo’ Malware Looks for Exposed Services, Default Passwords

A recently identified malware family is actively scanning the Internet for exposed web services and default passwords, AT&T Alien Labs reports.

A recently identified malware family is actively scanning the Internet for exposed web services and default passwords, AT&T Alien Labs reports.

The firm that resulted from AT&T’s acquisition of AlienVault calls the new malware Xwo, based on the name of the threat’s primary module.

Likely related to the Xbash and MongoLock malware families, the threat was observed being served under the name of xwo.exe.

Xwo, AT&T Alien Labs’ security researchers say, uses Python-based code similar to that of MongoLock, a piece of ransomware that wipes MongoDB servers and demands that admins pay a ransom to recover their data.

Additionally, both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure.

Xwo, however, does not include ransomware or exploitation capabilities, but only gathers credentials and service access information and sends all data back to the C&C.

The researchers also discovered that the Xwo’s Python script contains code copied from XBash, the destructive Linux malware that targets enterprise intranets and which is believed to be connected to the Iron Group threat actor.

Advertisement. Scroll to continue reading.

At the moment, Alien Labs is uncertain whether Xwo is related to the Iron Group as well, or if it only uses code that has been shared publicly.

Upon execution, Xwo connects to the C&C server and then starts scanning a network range provided by the server to start its reconnaissance activity and send gathered data to the attackers.

It collects information on the use of default credentials for FTP, MySQL, PostgreSQL, MongoDB, Redis and Memcached services; Tomcat default credentials and misconfigurations; default SVN and Git paths; Git repositoryformatversion content; PhpMyAdmin details; www/backup paths; RealVNC Enterprise Direct Connect details; and RSYNC accessibility.

“While Xwo steps away from a variety of malicious features […], such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future,” Alien Labs concludes.

Related: Xbash Malware Uninstalls Cloud Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...