Experts at AT&T Alien Labs discovered a new piece of malware called
Xwo that is actively scanning the Internet for exposed web services and default passwords.
The name ‘
“Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords.” reads the post published by Alien Labs.
Xwo code is similar to that the MongoLock, a family of ransomware that hit MongoDB servers and
Experts also observed that both Xwo and MongoLock use similar command and control (C&C) domain naming, and show overlaps in C&C infrastructure.
Experts also discovered that the Xwo’s Python script borrows code from XBash. XBash was discovered by Palo Alto Networks in September 2018, it targets both Linux and Microsoft Windows servers.
Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.
The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.
The malware was attributed to a popular crime gang tracked as the Iron Group. The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.
Anyway, at the time of writing, Alien Labs did not attribute Xwo to the Iron Group.
Once executed, Xwo connects to the C&C server and receives instructions to scan a specific network range provided. It starts the scans and
Experts warn of potential damages that the malware can cause to networks around the globe.
(SecurityAffairs – Xwo, malware)