Code and infrastructure from two known malware families have been observed with a new threat named Xwo, which helps operators of the MongoLock ransomware discover unprotected web services reachable over the internet.
MongoLock targets unprotected MongoDB databases, wiping them from the server and demanding a ransom to restore them.
Xwo is a Python-based bot scanner intended for reconnaissance activity. Based on IP ranges received from a command and control (C2) server, the utility probes for default passwords for services and reports back the results. In essence, it is not a malicious tool, but it enables malicious activity.