Xwo is a Python-based botnet family that scans the internet for exposed web services and default passwords. It appears to share code with the MongoLock ransomware and Xbash worm, as well as using the same command and control (C2) infrastructure as MongoLock, although it does not have the same capabilities as either.
Xwo has recently been observed being hosted on a server, although at the time of publication it is not known how users are directed to download the malware.
When Xwo is executed, the affected device transmits a HTTP POST request to a C2 server that includes a user agent randomly selected from a hard-coded list. The C2 server then responds with instructions including an IP address range to scan. The affected device then scans this address range and collects information on available services, including default credentials, misconfigurations, default paths, repositories and remote file transfer tools. This information is then sent to the C2 server in another HTTP POST request.
Network owners should avoid the use of default service credentials and ensure publicly accessible services are restricted when possible.
Indicators of Compromis
MD5 File Hash:
SHA1 File Hash:
SHA256 File Hash: