Experts at AT&T Alien Labs discovered a new piece of malware called
Xwo that is actively scanning the Internet for exposed web services and default passwords.
The name ‘
“Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords.” reads the post published by Alien Labs.
Xwo code is similar to that the MongoLock, a family of ransomware that hit MongoDB servers and
Experts also observed that both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure.
Experts also discovered that the Xwo’s Python script borrows code from XBash. XBash was discovered by Palo Alto Networks in September 2018, it targets both Linux and Microsoft Windows servers.
Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.
The malware was attributed to a popular crime gang tracked as the Iron Group. The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.
Anyway, at the time of writing, Alien Labs did not attribute Xwo to the Iron Group.
Once executed, Xwo connects to the C&C server and receives instructions to scan a specific network range provided. It starts the scans and
Experts warn of potential damages that the malware can cause to networks around the globe.
(SecurityAffairs – Xwo, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.