Xwo Bot Scanner
Security researchers have come across a new Python-based bot scanner that has been making its way through the Internet, scanning for default passwords and exposed Web services actively. It has been named the Xwo Bot Scanner, after its primary module, and is likely related to the malware families MongoLock and Xbash. However, while MongoLock is full-fledged ransomware that demands a ransom payment after it wipes the MongoDB servers of its victims, the Xwo Bot Scanner just gathers information. The similarities between the two are found in the Python-based code, the Command and Control(C2) domain naming, and an overlap in the C2 infrastructure that the malware uses to send back the information it collects.
The Xwo Bot Scanner takes an interest in a wide range of information about the systems that it manages to reach. Its activities include looking for default credentials in MySQL, PostgreSQL, MongoDB, Tomcat, Redis, Memcached and FTP. The Xwo Bot Scanner also scans for PhpMyAdmin details, RSYNC accessibility, git repositoryformatversion content, www backup paths and default SVN and Git paths. The Xwo Bot Scanner gets instructions from several servers that have been associated with MongoLock:
s.propub3r6espa33w[.]tk
s.blockchainbdgpzk[.]tk
s.pcrisk[.]xyz
s.rapid7[.]xyz
This is why security researchers suspect that Xwo Bot Scanner is merely a tool used by the entity behind MongoLock to find easy prey. What is evident, is that the threat actors that established the infrastructure made the domain names similar to those of news and security organizations, but with a .tk domain suffix, which stands for Tokelau, New Zealand.
As mentioned previously, the Xwo scanner also shares similarities with Xbash. The Xwo Bot Scanner and this piece of ransomware with crypto jacking capabilities share bits of identical code. Security researchers aren't certain if the same cybercrime group that created Xbash is also behind Xwo and MongoLock, as both ransomware target unprotected databases (MongoDB, PostgreSQL, and MySQL). A more concrete connection, however, is yet to be found, as this could be just a coincidence in reused public code.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.