Xwo Bot Scanner

The Xwo Bot Scanner, or Xwo Trojan, is a new form of malware that was identified by AT&T Cybersecurity researchers in early April 2019. The malware is coded in Python and shares certain features with the MongoLock Ransomware and the Xbash multipurpose malware. Those features include chunks of similar code, the Command and Control domain naming, as well as the structuring of C&C. Unlike MongoLock, which was made to destroy MongoDB servers and then extort ransom specifically, Xwo does not have any full-blown, proper ransom functionality.

Instead, what Xwo does is scan networks for publicly available services. Once the Xwo Bot Scanner finds them, it scans them for any weak spots that use default passwords for FTP, MongoDB and MySQL, among others. The Xwo Bot Scanner also scans and collects information about SVN, and Git paths, among other potentially exploitable network details and paths. Once the Xwo scanner has collected all the information it can, it sends all credentials and data back to its own C&C servers where the Xwo Bot Scanner can be accessed by the bad actors behind it.

The experts at AT&T Cybersecurity could not determine with complete certainty what the scraped information is used for at the moment. Even though Xwo does not have full-blown ransomware capabilities at the moment, it can become a much greater threat with future updates and an expanded toolkit of corrupted functionality potentially. However, the fact that networks leave such a large number of services accessible from outside the network and default credentials are still used by businesses in their database platforms is a sign that malware like the Xwo bot scanner is nothing to sneeze at.

The scraped default MongoDB credentials also can be used to launch a further attack using the actual MongoLock ransomware, which makes the Xwo bot scanner a serious threat.