Research Saturday 6.8.19
Ep 89 | 6.8.19

Xwo scans for default credentials and exposed web services.


Dave Bittner: [00:00:00] Hi everybody, it's Dave here with a special request. We put together a short audience survey to help us make sure we're delivering the type of publications and programs you depend on. Please take a minute and visit and answer a handful of questions. It'll only take a few minutes and it will help us out a lot. Plus, you can enter to win some fabulous CyberWire swag. So there's that. It's Thanks.

Dave Bittner: [00:00:30] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:53] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users applications and infrastructure by extending security to all points of connection across the network helping defend you against advanced threats. Juniper's connected security is also open so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:40] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Tom Hegel: [00:02:20] As always, we are working to research and understand various adversary groups that we encounter in the wild and others talk about through the industry.

Dave Bittner: [00:02:28] That's Tom Hegel. He's a security researcher with AT&T Alien Labs. The research we're discussing today is titled, "Xwo - A Python-based bot scanner."

Tom Hegel: [00:02:39] A piece of this is always to try and expand detections around reported adversary groups, one of which was the Rocke or Iron Cybercrime Group, and rewrite some detections around this actor or this adversary group, as always. And some of them softer than others, to try and hunt for new activity with these links to these groups. So, at one point, a new file was detected which links back to one of our previous detections that was written to go after the Iron Cybercrime Group. And it was an interesting file, because it had low global detection rates, and was a behavior we haven't seen before associated with this group. So, at that point, we really kind of dug into this file, and that's kind of what opened the case for us.

Dave Bittner: [00:03:19] It has some relations to some other known things out there. Why don't we start there? What did it remind you of?

Tom Hegel: [00:03:26] The big thing was it looked really familiar to Xbash and MongoLock. And those are two pieces of malware that have different functionality, that were written by the Rocke or Iron Cybercrime Group and, you know, one of them has ransomware functionality. The other one is used to mine cryptocurrency, but has ransom capabilities, and so forth. But we really saw an interesting overlap in how this code was reused from Xbash into Xwo, and then similar trends in terms of C2 infrastructure and so forth.

Dave Bittner: [00:03:58] So what does that point to, in terms of who might be behind this, or does it point to reuse of publicly available code?

Tom Hegel: [00:04:06] One thing to keep in mind is these are really just Python malware, so it's easy, for the most part, to go and find this code and reuse it with very little turbulence around doing that. So, this is why we didn't label this as high-confidence association and linked to those previous groups, just because it is pretty easy to reuse this code. However, when you combine the code reuse with some of the trends of the C2 infrastructure, such as naming schemes and so forth, that's when we start to build a bit more confidence, where we're able to say, you know, we think this is associated with those previous groups, but we can't say with complete certainty.

Dave Bittner: [00:04:42] Why don't you walk us through exactly what's going on here - what Xwo does, what it seems to be up to?

Tom Hegel: [00:04:49] I'll give you a quick understanding of how it operates first, I think will give you a good background. So, once you execute this malware on a victim host, it immediately beacons outbound to some hardcoded C2 infrastructure, and that C2 infrastructure immediately replies back - if it's still online, of course - with instructions on an IP range to go and scan. And at that point, the host that has executed the malware begins to use that IP range and scan it for multiple weaknesses in security. And there's quite a variety of options it goes after, such as just testing service availability for things like RealVNC, looking for open Redis servers. It will even go through the options of trying to test default credentials for widely used services out there that may not be improved based off of deployment.

Tom Hegel: [00:05:40] So once it does that, it'll scan that entire range, and if it finds anything that is a good hit with, hey, this server has this default credential in use, or anything, it'll immediately send that back up to the C2 infrastructure. So, the interesting thing about this is, I don't really see this as anything more than a - kind of like an intelligence collection tool for the malicious adversary at this point. You know, it's distributed mass scanning and it's looking to really identify hosts for interests in later use. You know, we don't see this Xwo malware trying to exploit or trying to do any sort of further compromising against these targets that it finds - it just simply reports it back to the C2. And at that point, we think it's going to be used for later operations or attacks.

Dave Bittner: [00:06:25] And how would you find yourself having this run on your system? How are they getting in?

Tom Hegel: [00:06:29] Delivery of Xwo isn't clear right now. However, based on previous campaigns from these active groups, we believe it has something to do with open services similar to what it's looking for, where they are able to download and execute a file and then conduct any sort of scanning from that host. It's been such a small scale where we haven't quite seen Xwo in particularly distributed through email spam or anything on large scale quite like that yet.

Dave Bittner: [00:06:55] I see. Now, they're using some encryption here to try to hide what they're up to, but my impression from what you've published here is that it's not particularly strong - is that correct?

Tom Hegel: [00:07:06] Yeah, it's pretty straightforward. In terms of the command-and-control activity, if you're looking at network traffic - in our blog post we have screenshots of it - but they are sending or receiving the command-and-control communication method. Typical base64 with a little bit of zlib compression on it, and we are able to decode the instructions to show the keys and then any sort of victim scanning results sent back to the C2. So it's fairly trivial to decode exactly what instructions are being received and sent.

Dave Bittner: [00:07:36] Now, another interesting little wrinkle here is that the hardcoded domains that they're using for the C2 servers - they're trying to look like some other well-known domains to kind of hide themselves there?

Tom Hegel: [00:07:49] Yes, absolutely, and that's one of the interesting trends where we can start to see a little bit of overlap with previous Rocke and Iron Cybercrime Group history where we can kind of build some linkage. But yeah, a lot of the C2 infrastructure, we'll start to see resembling similar security vendors or news websites with just different TLDs, you know, instead of a .com, we're seeing a .xyz or .tk. So it looks like they're trying to masquerade in some cases as legitimate domains, but if you do any sort of digging it sticks out pretty quickly.

Dave Bittner: [00:08:21] Now, in terms of once they've sent this information that they've found to the C2 server, have you been able to track any activity there? Anything you've been able to tie to this, that one thing leads to the other?

Tom Hegel: [00:08:33] Unfortunately not. Once we identified the C2 infrastructure and scoped it out to completely understand it, we contacted Cloudflare and had them take it offline. And at that point, we were just reacting to this malware which we can identify as completely malicious. However, any sort of instructions that those C2 servers received, such as, hey, here's a list of hosts which may be, uh, the scanners found are using default credentials. We haven't seen those used quite yet, and it's going to be pretty tricky to see exactly how those are used in the future. But based on the history of these groups and the links to the other type of malware, we estimate that this malware might be using it for future ransomware attacks, or maybe mining cryptocurrency down the road, and using that intelligence they gained to immediately go and log into these hosts without doing any additional reconnaissance.

Dave Bittner: [00:09:25] Now, in terms of detection, are standard virus systems going to be able to detect this sort of thing?

Tom Hegel: [00:09:31] The malware, when we first identified it, had very low detection rates. So, by now, since the blog has been out for a while on our platform and so forth, we believe the rates have increased quite significantly on the file itself. However, in terms of network detections, there's a lot of room for growth there. You know, there's multiple services that the malware's going to be looking for, so you can try and catch those being scanned against. However, there's not a unique profile of which services are being scanned that can link it directly to this malware.

Tom Hegel: [00:10:00] However, you know, in terms of defense against this, relying on the basics really helps tremendously, such as avoiding the use of default service credentials and ensuring publicly accessible services and hosts are restricted. And if they are publicly accessible, they're, you know, up to date and not vulnerable. And those are the type of standard practices that will make this malware severely slow down.

Dave Bittner: [00:10:25] Yeah, it's interesting to me that Xwo, while seemingly related to MongoLock and Xbash, sort of has some of the features that they have, dialed back - you know, it's not trying to to lock up your files. It's not doing that sort of ransomware execution.

Tom Hegel: [00:10:42] Yeah, absolutely. That's a good note there. The view I have for this is Xwo is a tool that they would use to scan the internet and have it OK to be caught by researchers like myself or security vendors out there. It's OK for it to get caught, because all it's doing is collecting intelligence. And then they use that intelligence they collected to go and pinpoint the targets that they know with the additional attacks. It'll limit the scope of any sort of defense against people that are saying, hey, this is the thing that scanned me and this is the malware itself that's doing, you know, ransomware locking. It'll reduce the visibility on the public side, I think, for that.

Dave Bittner: [00:11:18] And is there the potential here for extensibility? Could those features be added back in? Could the fact that it has hardcoded connections to the command-and-control servers - would it would be easy to extend functionality in those sorts of areas?

Tom Hegel: [00:11:32] Yeah, absolutely. And this malware itself, I could see additional versions of it coming down the road with improvements such as, you know, not hardcoded C2 infrastructure, and additional modules where we start to see, you know, ransomware capabilities be added in. And that's not too different from how previous malware they've written has operated, such as Xbash. It had different modules where they could add in functionality for certain things. And this could just be an early version of that coming out down the road.

Dave Bittner: [00:12:02] So, what are the take-homes for you? What are the conclusions, based on the research that you've done here, where do you think things are headed?

Tom Hegel: [00:12:08] With Xwo, I could see the malware growing into the future and adding those additional pieces of functionality. I think a big takeaway would be this is just an early iteration on this malware evolving. So, I would expect to see new functionality being expanded on this guy. And then this attack method being used more down the road. You know, for example, have malware that's out there just doing the reconnaissance for you to use later, more strategically, with higher-value malware files and so forth, going after very precise targets, rather than scanning the Web and trying to deploy at the same time.

Tom Hegel: [00:12:43] So, you know, I think the big takeaway for anyone listening would be, getting your public infrastructure scanned may have more later impacts rather than just the immediate scan results. So, take it to heart, find ways to do sort of correlation on this, and this is the type of activity you could run into for any later-stage attacks. And the defense against this, again, is a big push to stay away from the defaults of public services - credentials and any sorts of accessibility online.

Dave Bittner: [00:13:11] Yeah. (Laughs) That's a really important point, because it seems like so much of what this is about is just checking for defaults.

Tom Hegel: [00:13:18] Yeah, absolutely. There's not a whole lot about this that is, you know, extremely zero-day groundbreaking or anything like that. You know, if you'd stay with the standard practices, you can avoid a lot of stuff like this. And this is a brand new piece of malware, you know, it's not something that's been around for ten years or anything like that. It's still looking for those weaknesses out there that a lot of servers out there are still operating with.

Dave Bittner: [00:13:43] Our thanks to Tom Hegel from AT&T Alien Labs for joining us. The research is titled, "Xwo - A Python-based bot scanner." We'll have a link in the show notes.

Dave Bittner: [00:13:52] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:14:01] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical Editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.