Newly identified Xwo malware could be laying the groundwork for far more damaging cyberattacks around the globe, warn researchers.
A new form of malware is scanning the internet for exposed web services and default passwords in what’s thought to be a reconnaissance operation – one which might signal a larger cyberattack is to come.
Researchers at AT&T Alien Labs first spotted the malware in March and have named it Xwo after its primary module name. It’s thought that Xwo could be related to two other forms of malicious software – MongoLock ransomware and X Bash, a malware that rolls ransomware, a coinminer, a botnet and a worm into one – due to similarities in the Python-based code.
But unlike MongoLock and Xbash, Xwo doesn’t have any ransomware, cryptocurrency mining or any other similar money-making capabilities: it’s main focus is scanning for credentials and exposed services and sending information back to its command and control server.
It’s this infrastructure which has previously been associated with MongoLock and follows a pattern of creating domains that mimic the websites of cybersecurity firms and news websites, and registering them with .tk – the country code top-level domain for Tokelau, a territory of New Zealand in the South Pacific.
It’s still uncertain how Xwo started spreading or how it gains access to internet-connected machines, but the malware is designed to conduct reconnaissance and send back information to to the command and control server through an HTTP POST request.
Xwo collects information about the use of default credentials in services such as FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, as well as default credentials and misconfigurations for Tomcat, an open source implementation of the Java Servlet.
The malware also looks to collect information about Default SVN and Git paths, Git repository format version content, PhP admin details and more. It’s highly likely the bot is conducting surveillance of weak points that can be exploited in more damaging attacks further down the line.
“This malware is entirely scanning-based. It will attempt to identify valuable targets and report back the details to a C2 server. It is our belief that this insight is then used by the attacker for further attacks outside of Xwo,” Tom Hegel, security researcher at AT&T Alien Labs, told ZDNet.
“While Xwo steps away from a variety of malicious features… such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe,” he said.
However, if the group behind Xwo is linked to the attackers behind XBash and MongoLock, it doesn’t necessarily mean they’ve left ransomware behind – it’s likely they’re examining another new means of attack to help expand their cyber arsenal.
“Xwo may not be a major shift in the adversary changing tactics, but rather them experimenting with different capabilities. Based on our assessment of the relation to XBash and MongoLock, the adversary has historically been diverse in their toolset,” said Hegel.
To help counter the threat of Xwo, Alien Labs has published a full list of the malware’s Indicators of Compromise.
Researchers also recommend that network owners should avoid the use of default service credentials and ensure publicly accessible services are restricted when possible, preventing Xwo and other scanning malware from easily making off with information.
CloudFlare has been alerted about the malicious C2 domains, which have since been terminated, but it’s likely the attackers will return with new malicious servers to host their activity.