CyberWire Daily - Xwo scans for default credentials and exposed web services. [Research Saturday]
Episode Date: June 8, 2019Researchers at AT&T Alien Labs have been tracking a new malware family they've named "Xwo" that's scanning systems for default credentials and vulnerable web services. Tom Hegel is security research...er with AT&T Alien Labs, and he share their findings. The original research is here: https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
As always, we are working to research and understand various adversary groups that we
encounter in the wild and others talk about through the industry. That's Tom Hagel. He's a security researcher with AT&T Alien Labs.
The research we're discussing today is titled XWO, a Python-based bot scanner.
A piece of this is always to try and expand detections around reported adversary groups,
one of which was the ROC, or Hired Cybercrime Group. And we write some detections
around this actor, this adversary group, as always, and some of them softer than others to
try and hunt for new activity with these links to these groups. So at one point, a new file was
detected, which links to back to one of our previous detections that was written to go after
the Iron Cybercrime Group. And it was an interesting file because it had low global
detection rates and was a behavior we haven't seen before associated with this group. So at that
point, we really kind of dug into this file. And that's kind of what opened the case for us.
It has some relations to some other known things out there. Why don't we start there?
What did it remind you of?
The big thing was it looked really familiar to XBash and MongoLock. And those are two pieces of malware that have different functionality that
were written by the Rocker Iron Cybercrime Group. And one of them has ransomware functionality. The
other one is used to mine cryptocurrency, but has ransom capabilities and so forth. But we really saw an interesting overlap in how this code was reused from XBash into XWO
and then similar trends in terms of C2 infrastructure and so forth.
So what does that point to in terms of who might be behind this?
Or does it point to reuse of publicly available code?
One thing to keep in mind is these are really just Python malware.
So it's easy for the most part
to go and find this code and reuse it
with very little turbulence
in the route of doing that.
So this is why we didn't label this
as high confidence association
and link to those previous groups
is because it is pretty easy to reuse this code.
However, when you combine the code reuse
with some of the trends of the C2 infrastructure, such as naming schemes and so forth, that's when
we start to build a bit more confidence where we're able to say, you know, we think this is
associated with those previous groups, but we can't say with the complete certainty.
Why don't you walk us through exactly what's going on here, what XWO does,
what it seems to be up to?
I'll give you a quick understanding of how it operates first. I think we'll give you a good background. So once you execute this malware on a victim host, it immediately beacons outbound to
some hard-coded C2 infrastructure. And that C2 infrastructure immediately replies back,
if it's still online, of course, with instructions
on an IP range to go and scan. And at that point, the host that has executed the malware begins to
use that IP range and scan it for multiple weaknesses in security. And there's quite a
variety of options it goes after, such as just testing service availability for things like real VNC,
looking for open Redis servers. It will even go through the options of trying to test default
credentials for widely used services out there that may not be improved based off of deployment.
So once it does that, it'll scan that entire range. And if it finds anything that is a good
hit with, hey, this server has this default credential in use or anything,
it'll immediately send that back up to the C2 infrastructure. So the interesting thing about
this is I don't really see this as anything more than a kind of like an intelligence collection
tool for the malicious adversary at this point. You know, it's distributed mass scanning, and
it's looking to really identify hosts for interest in later use.
We know we don't see this XWO malware trying to exploit or trying to do any sort of further
compromising against these targets that it finds. It just simply reports it back to the C2. And at
that point, we think it's going to be used for later operations or attacks.
And how would you find yourself having this run on your system? How are they getting in? Delivery of XWO isn't clear right now. However, based on previous campaigns from
these actor groups, we believe it has something to do with open services similar to what it's
looking for, where they are able to download and execute a file and then conduct any sort of
scanning from that host. It's been such a small scale where we haven't quite seen it, XWO in particularly, distributed through email spam or anything on large scale
quite like that yet. I see. Now, they're using some encryption here to try to hide what they're
up to, but my impression from what you've published here is that it's not particularly
strong. Is that correct? Yeah, it's pretty straightforward. In terms of the command and
control activity, if you're looking at network traffic, and our blog post has screenshots of it,
but they are sending or receiving the command and control communication in a encoded method.
Typical base 64 with a little bit of Zlib compression on it, and we are able to decode
the instructions to show the IPs and then any sort of victim or scanning results sent
back to the C2. So it's fairly trivial to decode exactly what instructions are being received and
sent. Now, another interesting little wrinkle here is that the hard-coded domains that they're
using for the C2 servers, they're trying to look like some other well-known domains to kind of
hide themselves there?
Yes, absolutely. And that's one of the interesting trends where we can start to see a little bit of overlap with previous rock and iron cybercrime group history where we can kind of build some
linkage. But yeah, a lot of the C2 infrastructure we'll start to see resembling similar security
vendors or news websites with just different TLDs.
You know, instead of a.com, we're seeing a.xyz or.tk.
So it looks like they're trying to masquerade in some cases as legitimate domains.
But if you do any sort of digging, it sticks out pretty quickly.
Now, in terms of once they've sent this information that they found to the C2 server,
have you been able to track any activity there?
Anything you've been able to tie to this
that one thing leads to the other?
Unfortunately not.
Once we identified the C2 infrastructure
and scoped it out to completely understand it,
we contacted Cloudflare and had them taken offline.
And at that point, we were just reacting to this malware,
which we can identify as completely malicious.
However, any sort of instructions that those C2 servers received, such as, hey, here's a list of
hosts, which may be the scan results found are using default credentials. We haven't seen those
used quite yet. And it's going to be pretty tricky to see exactly how those are used in the future.
But based on the history of these groups and the links to the other type of malware, we estimate that this malware might be using it for future ransomware attacks or maybe mining cryptocurrency down the road and using that intelligence they gained to immediately go and log into these hosts without doing any additional reconnaissance.
Now, in terms of detection, are standard virus systems going to be able to detect this sort of thing?
The malware when we first identified it had very low detection rates.
So by now, since the blog has been out for a while on our platform and so forth, we believe the rates have increased quite significantly on the file itself.
However, in terms of network detections, there's a lot of room for growth there.
You know, there's multiple services that the malware is going to be looking for.
So you can try and catch those being scanned against.
However, there's not a unique profile in which services are being scanned.
I can link it directly to this malware. The basics really helps tremendously, such as avoiding the use of default service credentials and ensuring publicly accessible services and hosts are restricted.
And if they are publicly accessible, they're up to date and not vulnerable.
Those are the type of standard practices that they have dialed back.
You know, it's not trying to lock up your files.
It's not doing that sort of ransomware execution.
Yeah, absolutely.
That's a good note there. The view I have towards this is XWO is a tool that they would use to scan the Internet and have it OK to be caught by researchers like myself or security vendors out there.
It's OK for it to get caught because all it's doing is for collecting intelligence.
And then they use that intelligence they collected to go and pinpoint the targets that they know with the additional attacks.
with the additional attacks.
It'll limit the scope of any sort of defense against people that are saying,
hey, this is the thing that scanned me
and this is the malware itself
that's doing ransomware locking.
It'll reduce the visibility on the public side,
I think, for that.
And is there the potential here for extensibility?
Could those features be added back in?
Could the fact that it has hard-coded connections
to the command and control servers,
would it be easy to extend functionality in those sorts of areas?
Yeah, absolutely.
In this malware itself, I could see additional versions of it coming out down the road with improvements such as not hard-coded C2 infrastructure and additional modules where we start to see ransomware capabilities be added in.
And that's not too different from how previous malware they've written has operated, such as XBash.
It had different modules where they could add in functionality for certain things.
And this could just be an early version of that coming out down the road.
So what are the take-homes for you?
What are the conclusions based on the research that you've done here?
Where do you think things are headed?
With XWO, I could see the malware growing into the future and adding those additional pieces
of functionality. I think a big takeaway would be this is just an early iteration on this malware
evolving. So I would expect to see new functionality being expanded on this guy. And then this attack
method being used more down the road. For example,
have malware that's out there just doing the reconnaissance for you to use later more
strategically with higher value malware files and so forth, going after very precise targets
rather than scanning the web and trying to deploy at the same time. So I think a big takeaway for
anyone listening would be getting your public infrastructure scanned may have more later impact rather than just the immediate scan results.
So take it to heart, find ways to do sort of correlation on this.
And this is the type of activity you could run into for any later state attacks.
And the defense against this, again, is a big push to stay away from the defaults of public services, credentials, and any sorts of accessibility online.
Yeah, that's a really important point because it seems like so much of what this is about
is just checking for defaults.
Yeah, absolutely.
There's not a whole lot about this that is extremely zero-day groundbreaking or anything
like that.
If you stay with the standard practices, you can avoid a lot of stuff like this. And this is a brand new piece of malware, you know,
it's not something that's been around for 10 years or anything like that. It's still
looking for those weaknesses out there that a lot of servers out there are still operating with.
Our thanks to Tom Hagel from AT&T Alien Labs for joining us.
The research is titled XWO, a Python-based bot scanner.
We'll have a link in the show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.