One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1087355 |
| Date de publication | 2019-04-02 18:00:00 (vue: 2019-04-03 21:00:45) |
| Titre | Xwo - A Python-based bot scanner |
| Texte |
Jaime Blasco and Chris Doman collaborated on this blog.
Overview:
Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.
Alien Labs initially identified Xwo being served from a server serving a file named xwo.exe. Below are the initial technical findings of Xwo, while all associated indicators are in our Xwo OTX Pulse.
Xwo’s relation to MongoLock & XBash:
MongoLock is a ransomware that wipes MongoDB servers and demands a ransom paid to the attackers to recover their database. Both Xwo and MongoLock use similar Python-based code, command and control (“C2”) domain naming, and have an overlap in C2 infrastructure.
Unlike MongoLock, Xwo does not have any ransomware or exploitation capabilities, but rather sends stolen credentials and service access back to the C2 infrastructure.
The sample was created via PyInstaller and the original Python code can be easily recover using python_exe_unpack and uncompyle6. The python script of Xwo contains code copied from XBash:
Figure 1: Xwo code (left) copied from Xbash (right)
As of this report, it is unclear if Xwo relates with same adversary known as “Iron Group”, or if they have repurposed public code. Based on our research to date, a potential relationship may exist between Iron Cybercrime Group and Rocke. We are unable to assess the relationship with acceptable confidence as of this report.
Command and Control:
Following execution, Xwo first performs an HTTP POST request with a random User-Agent from a hardcoded list of choices, and then receives instructions from the C2 domain with an encoded public network range to scan:
|
| Envoyé | Oui |
| Condensat | 04506 0b13pre 0b; 0c; 0e; 10' 1036 1132 1180 1271 168 287 2pre 30729; 35; 360se 3698 3705; 400 4322 4322; 4337 50727 50727; 64; 732; 963 acoo acoobrowser; aol aolbuild applewebkit/523 applewebkit/527+ applewebkit/533 applewebkit/535 applewebkit/536 applewebkit/537 arora/0 based bot browser; c9dfb30 center change: chrome/17 chrome/19 chrome/20 chrome/21 chrome/23 clr cn; compatible; cpu fc10 fedora/1 firefox/16 firefox/3 firefox/4 gecko gecko/20070215 gecko/20070322 gecko/20080705 gecko/20100101 gecko/20100922 gecko/20110307 hardcoded hxxp://s i686; i>hxxp://s infopath intel ipad; kapiko/3 kazehakase/0 khtml lbbrowser like linux linux; mac macintosh; maverick media mobile/8c148 mozilla/4 mozilla/5 msie net net4 ninja/2 opera/9 presto/2 propub3r6espa33w python qqbrowser/7 qqdownload rapid7 rv:1 rv:16 rv:2 safari/419 safari/535 safari/536 safari/537 safari/6533 scanner slcc1; slcc2; sv1; taobrowser/2 tk/ci2 trident/4 trident/5 ubuntu/10 ubuntu; us; useragents version/11 version/5 win64; windows windows; wow64 wow64; x11; x64; x86 xwo xyz/ci2 |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.