Xwo Web Scanner Used to Identify Unprotected MongoDB Databases

Security researchers at AT&T Alien Labs have identified a new ‘malware’ variant that is being used to identify potential targets. The web scanner has been named Xwo, based on the name of its main module.

Xwo is python-based and actively scans for exposed web services and default passwords. Xwo scans for services such as MongoDB, Memcached, MySQL, PostgreSQL, Redis, Tomcat, and FTP for any default credentials that have not been changed. Default paths for SVN, Git, and backup are also copied.

The researchers have found a link between Xwo and two known malware variants, Mongolock and Xbash. MongoLock ransomware is python-based, and is used to wipe exposed MongoDB databases. A ransom is then demanded to restore the database.

Xbash malware includes many functions, including a ransomware component. However, with Xbash, it is not possible to recover encrypted files. The researchers found identical code from Xbash in Xwo, and similar python-based code to that used in MongoLock. C2 domain naming was also similar and there was an overlap in C2 infrastructure.

It is unclear whether the threat actors behind Xbash – a cybercriminal group called Iron – is behind Xwo, or whether the scanner has just incorporated and repurposed publicly available code. Xwo could have been utilized by the group to identify potential targets to attack with Mongolock, Xbash, or another form of malware.

At the time of writing, only 37 AV engines on VirusTotal are detecting the Xwo scanner as a threat.

To protect against attack, it is important for all default credentials to be changed and for complex passwords to be set. Scans should also be performed to identify exposed or publicly accessible services, and these should be disabled or severely restricted.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news