A recently identified malware family is actively scanning the Internet for exposed web services and default passwords, AT&T Alien Labs reports.
The firm that resulted from AT&T’s acquisition of AlienVault calls the new malware Xwo, based on the name of the threat’s primary module.
Likely related to the Xbash and MongoLock malware families, the threat was observed being served under the name of xwo.exe.
Xwo, AT&T Alien Labs’ security researchers say, uses Python-based code similar to that of MongoLock, a piece of ransomware that wipes MongoDB servers and demands that admins pay a ransom to recover their data.
Additionally, both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure.
Xwo, however, does not include ransomware or exploitation capabilities, but only gathers credentials and service access information and sends all data back to the C&C.
The researchers also discovered that the Xwo’s Python script contains code copied from XBash, the destructive Linux malware that targets enterprise intranets and which is believed to be connected to the Iron Group threat actor.
At the moment, Alien Labs is uncertain whether Xwo is related to the Iron Group as well, or if it only uses code that has been shared publicly.
Upon execution, Xwo connects to the C&C server and then starts scanning a network range provided by the server to start its reconnaissance activity and send gathered data to the attackers.
It collects information on the use of default credentials for FTP, MySQL, PostgreSQL, MongoDB, Redis and Memcached services; Tomcat default credentials and misconfigurations; default SVN and Git paths; Git repositoryformatversion content; PhpMyAdmin details; www/backup paths; RealVNC Enterprise Direct Connect details; and RSYNC accessibility.
“While Xwo steps away from a variety of malicious features […], such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future,” Alien Labs concludes.
Related: Xbash Malware Uninstalls Cloud Security Products
More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
