Xwo, a newly revealed web service vulnerability scanning malware discovered by Alien Labs, a subsidiary of AT&T, was named after the very dropper which serves as it propagating module with a file named xwo.exe. Unlike a typical ransomware that immediately issues an encryption process against the user files, Xwo was more of a monitoring-type kind of virus. Initial checks show that it plants itself into the system in order to monitor the passwords for certain system services. Once a certain login credential is entered into the system, it will log the information and send it to its authors through its command and control center.
“The Alien Labs findings around Xwo introduce yet another iteration from what has been a rather publicity attracting adversary. While Xwo steps away from a variety of malicious features observed the entity using, such as ransomware or exploits, the general use and potential it holds can be damaging for networks around the globe. Xwo is likely a new step to an advancing capability, and we expect the full value of this information collection tool to be acted on in the future,” explained Jaime Blasco, Head of Alien Labs in its official blog.
There is indication that the Xwo code includes code from XBash, an older malware which is also based-on Python. At the time of this writing, it is not yet confirmed if Xwo can be considered as a successor to an older malware, or if it is developed by the same group who developed XBash. There is a reasonable suspicion that either the Rocke group or Iron Cybercrime group is behind Xwo, but the information gathered is still not conclusive. The Iron group is well known for developing destructive malware in the past, however, it is not surprising for them not to program a malware that can be used for cyber espionage purposes. Xwo can also serve as a reconnaissance virus for a future cyber attack at a later data.
Alien Labs with their thorough reverse-engineering technique were able to extract technical information about Xwo, paving the way for easier understanding of its innards:
FileHash-SHA1 1faf363809f266bb2d90fb8d3fc43c18253d0048
FileHash-SHA256 6408c69e802de04e949ed3047dc1174ef20125603ce7ba5c093e820cb77b1ae1 Domain blockchainbdgpzk.tk
Hostname clone.flash90sfs0f.tk
Hostname cs.pcrisk.xyz
hostname cs.rapid7.xyz
hostname d.pcrisk.xyz
FileHash-MD5 fd67a98599b08832cf8570a641712301
domain flash90sfs0f.tk
URL http://bucket-chain.oss-cn-hongkong.aliyuncs.com/xwo.exe
As per the researchers, the Xwo malware resides in memory to specifically look for user login credentials for the following systems:
- Www backup paths.
- Tomcat default credentials and misconfigurations.
- Git repositoryformatversion content.
- PhpMyAdmin details.
- RealVNC Enterprise Direct Connect.
- RSYNC accessibility.
- Default SVN and Git paths.
- Use of default credentials in FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached.
“Network owners should avoid the use of default service credentials and ensure publicly accessible services are restricted when possible. We are unable to assess what exactly the operators behind Xwo will use this information for, but based on links to Xbash we expect it to be abused for further malicious activity in time,” concluded Chris Doman, Threat Engineer at AlienVault.
Related Resources :
Iranian Government Accused of Phishing-Based Cyber Espionage