A threat actor targeted low-skilled hackers, known as “script kiddies,” with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers.
Security researchers at CloudSEK report that the malware infected 18,459 devices globally, most located in Russia, the United States, India, Ukraine, and Turkey.
“A trojanized version of the XWorm RAT builder has been weaponized and propagated,” reads the CloudSEK report.
“It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honour among thieves.”
CloudSEK has found the malware included a kill switch that was activated to uninstall the malware from many of the infected machines, but due to practical limitations, some remain compromised.
Source: CloudSEK
Fake RAT builder installs malware
The researchers say they recently discovered a Trojanized XWorm RAT builder being distributed through various channels, including GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites.
These sources promoted the RAT builder, stating it would allow other threat actors to utilize the malware without having to pay for it.
However, instead of being an actual builder for the XWorm RAT, it infected the threat actor’s devices with the malware.
Once a machine is infected, the XWorm malware checks the Windows Registry for signs it is running on a virtualized environment and stops if the results are positive.
If the host qualifies for infection, the malware performs the required Registry modifications to ensure persistence between system boots.
Every infected system is registered to a Telegram-based command and control (C2) server using a hardcoded Telegram bot ID and token.
The malware also automatically steals Discord tokens, system information, and location data (from IP address), and exfiltrates it to the C2 server. Then, it waits for commands from the operators.
Out of the 56 commands supported in total, the following are particularly dangerous:
- /machine_id*browsers – Steal saved passwords, cookies, and autofill data from web browsers
- /machine_id*keylogger – Record everything the victim types on their computer
- /machine_id*desktop – Capture the victim’s active screen
- /machine_id*encrypt*
– Encrypt all files on the system using a provided password - /machine_id*processkill*
– Terminate specific running processes, including security software - /machine_id*upload*
– Exfiltrate specific files from the infected system - /machine_id*uninstall – Remote the malware from the device
CloudSEK found that the malware operators had exfiltrated data from roughly 11% of the infected devices, mostly taking screenshots of infected devices, as shown below, and stealing browser data.
Source: CloudSEK
Disrupting with the kill switch
The CloudSEK researchers disrupted the botnet by utilizing hard-coded API tokens and a built-in kill switch to uninstall the malware from infected devices.
To do this, they sent a mass uninstall command to all listening clients, looping through all known machine IDs they had previously extracted from Telegram logs. They also brute-forced machine IDs from 1 to 9999, assuming a simple numeric pattern.
Source: CloudSEK
Although this caused the malware to be removed from many of the infected machines, those not online when the command was issued remain compromised.
Also, Telegram subjects messages to rate limiting, so some of the uninstall commands may have been lost in transit.
Hackers hacking hackers is a common scenario we often see manifesting in the wild.
The takeaway from CloudSEK’s findings is never to trust unsigned software, especially those distributed by other cybercriminals, and only install malware builders on testing/analysis environments.