Xwo Botnet

Xwo is a Python-based botnet family that scans the internet for exposed web services and default passwords. It appears to share code with the MongoLock ransomware and Xbash worm, as well as using the same command and control (C2) infrastructure as MongoLock, although it does not have the same capabilities as either.

Xwo has recently been observed being hosted on a server, although at the time of publication it is not known how users are directed to download the malware.

When Xwo is executed, the affected device transmits a HTTP POST request to a C2 server that includes a user agent randomly selected from a hard-coded list. The C2 server then responds with instructions including an IP address range to scan. The affected device then scans this address range and collects information on available services, including default credentials, misconfigurations, default paths, repositories and remote file transfer tools. This information is then sent to the C2 server in another HTTP POST request.

Network owners should avoid the use of default service credentials and ensure publicly accessible services are restricted when possible.

Indicators of Compromis

MD5 File Hash:

• fd67a98599b08832cf8570a641712301

SHA1 File Hash:

• 1faf363809f266bb2d90fb8d3fc43c18253d0048

SHA256 File Hash:

• 6408c69e802de04e949ed3047dc1174ef20125603ce7ba5c093e820cb77b1ae1

Domain:

• blockchainbdgpzk[.]tk
• pcrisk[.]xyz
• propub3r6espa33w[.]tk

Hostname:

• d.pcrisk[.]xyz
• s.blockchainbdgpzk[.]tk
• s.pcrisk[.]xyz
• s.propub3r6espa33w[.]tk
• s.rapid7[.]xyz

URL:

• hxxp://bucket-chain.oss-cn-hongkong.aliyuncs[.]com/xwo.exe
• hxxp://s.blockchainbdgpzk[.]tk/ci2
• hxxp://s.pcrisk[.]xyz/ci2
• hxxp://s.propub3r6espa33w[.]tk/ci2
• hxxp://s.rapid7[.]xyz/ci2