What Is XWO Malware?

AT&T experts from Alien Labs found a new malware known as Xwo that scans the Internet for exposed Web services and default passwords. The name ‘ Xwo ‘ originates from Python’s main module, which serves xwo.exe as malicious code.

We call it “Xwo,” based on our findings – taken from the name of the primary module. It is probably related to the malware families X-bash and Mongo Lock previously reported.

XWO code is similar to Mongo Lock, a ransomware family that hits and wipes out MongoDB sites and then requires payments for ransom data.

Experts also noted that Xwe and MongoLock both use similar domain naming command and control (C&C) and show a C&C infrastructure overlap. Xwo does not implement Ransomware or Operating Functions, unlike MongoLock, but acts as a robbery and returning the robbed credentials and services to the C2 infrastructure.

Mongolock is ransomware that wips MongoDB servers and requires a ransom to recover the database from attackers. Both Xwo and MongoLock have similar domain naming and command, command and control (“C2”) Python-based code and a C2 infrastructure overlap.

How the Xwo has spread or how it gains access to Internet-based machines is still uncertain but the malware is designed to recognize and send information through an HTTP POST request back to the command and control server.

From Tomcat, which is an open source Java Servlet implementation, Xwo collects information on the default user credentials in services such as FTP, MySQL, PostgreSQL, MongoDB, Redis, and Memcached.

More Details On The Malware:

  • Xwo has been detected by researchers from a server with an xwo.exe file.
  • Using a random user agent from a hardcoded list of alternatives, the malware will perform an HTTP POST request on execution.
  • The program will then be instructed to scan the encoded public network range from the C&C server.
  • It will then return the data it has collected to its C&C server via an HTTP POST request after scanning for services and collections of information.

What Type Of Information Is Collected?

After scanning its C&C server’s network range, it begins collecting information from the services available such as.

  • Information on FTP, MySQL, PostgreSQL, MongoDB, Redis, and Memcached using default credentials.
  • Default credentials and configurations information for Tomcat.
  • Details on default SVN and Gits paths
  • Git repository format, version, content.
  • PhpMyAdmin details.
  • WWW backup paths.
  • RealVNC Enterprise Direct connect details.
  • RSYNC accessibility information.

While Xwo walks away from a number of malicious characteristics, such as ransomware or exploits, can damage networks around the world in general and it’s potential.

Xwo is probably a new step towards improving capacity and we expect to be able to do the full value of this information gathering tool in the future, “said researchers.

What You Want To Do Is:

  • To avoid using default service credentials, researchers recommend network owners.
  • They should also ensure that services that are publicly accessible are restricted where possible.

While we can not see exactly what Xwo operators use this information for, we expect it to be abused for further malicious activity in time based on links to MongoLock and XBash, “researchers concluded.

How To Remove XWO Malware?

Xwo Ransomware manual removal may not be for all. To delete all associated files and registry entry from your computer, you must follow each Xwo Ransomware manual deletion step carefully.

We advise you to use the Xwo Ransomware removal automatic process if you are unsure or have doubts about editing your system registry.

  • Click the Start menu and go to the Control Panel when all programs are closed. Select and double – click the Add / Remove Programs icon.
  • Locate in the program list Xwo Ransomware. Choose it and remove it if you find it. If Xwo Ransomware can’t be found, and start your computer again.
  • Close your desktop with all open programs and windows. Start the Menu, type in regedit, and click OK to open your Registry Editor (regedit).
  • Search for and delete all the following registry entries. You can read how to edit the Windows registry if you don’t know how to do so.
  • You might need to go back to this deletion process to remove Xwo Ransomware. If you are using the Firefox web browser you can simultaneously press the Ctrl and D key to mark the page. You can also bookmark or add a favorite to the page by clicking on
  • Delete from your computer all the following Xwo Ransomware – related files.
  • You must remove all Xwo Ransomware associated directories by going to the C:\ProgramFiles\Xwo Ransomware folder after selecting and removing the previous files. In some cases, this directory may not be found. The next step is still possible.
  • After you select and remove previous files, you have to remove all the directories associated with Xwo Ransomware and go to the C:\ProgramFiles\Xwo Ransomware folder. This directory is not possible in some cases. The next step can be taken.