A new form of malware is scanning the internet for exposed web services and default passwords in what's thought to be a reconnaissance operation – one which might signal a larger cyberattack is to come.
Researchers
at AT&T Alien Labs first spotted the malware in March and have named it Xwo after its primary module name. It's thought that Xwo could be related to two other forms of malicious software – MongoLock ransomware and
X Bash, a malware that rolls ransomware, a coinminer, a botnet and a worm into one – due to similarities in the Python-based code.
But unlike MongoLock and Xbash, Xwo doesn't have any ransomware, cryptocurrency mining or any other similar money-making capabilities: it's main focus is scanning for credentials and exposed services and sending information back to its command and control server.
It's this infrastructure which has previously been associated with MongoLock and follows a pattern of creating domains that mimic the websites of cybersecurity firms and news websites, and registering them with .tk – the country code top-level domain for Tokelau, a territory of New Zealand in the South Pacific.
It's still uncertain how Xwo started spreading or how it gains access to internet-connected machines, but the malware is designed to conduct reconnaissance and send back information to to the command and control server through an HTTP POST request.
Xwo collects information about the use of default credentials in services such as FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, as well as default credentials and misconfigurations for Tomcat, an open source implementation of the Java Servlet.
The malware also looks to collect information about Default SVN and Git paths, Git repository format version content, PhP admin details and more. It's highly likely the bot is conducting surveillance of weak points that can be exploited
in more damaging attacks further down the line.
