A threat actor has targeted low-skilled hackers, known as “script kiddies,” with a fake malware builder that secretly infected them with a backdoor designed to steal data and take over computers. Security researchers at CloudSEK report that the malware infected 18,459 devices globally, with most located in Russia, the United States, India, Ukraine, and Turkey. “A trojanized version of the XWorm RAT builder has been weaponized and propagated,” reads the report by CloudSEK.
The attackers targeted script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials, demonstrating that there is no honor among thieves. CloudSEK discovered that the malware included a kill switch activated to uninstall the malware from many of the infected machines, but due to practical limitations, some remain compromised. The researchers recently discovered a Trojanized XWorm RAT builder being distributed through various channels, including GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites.
These sources promoted the RAT builder, stating it would allow other threat actors to utilize the malware without having to pay for it. However, instead of being an actual builder for the XWorm RAT, it infected the threat actor’s devices with the malware. Once a machine is infected, the XWorm malware checks the Windows Registry for signs it is running on a virtualized environment and stops if the results are positive.
If the host qualifies for infection, the malware performs the required Registry modifications to ensure persistence between system boots.
Fake XWorm RAT builder deception
Every infected system is registered to a Telegram-based command and control (C2) server using a hardcoded Telegram bot ID and token.
The malware also automatically steals Discord tokens, system information, and location data (from IP addresses), exfiltrating it to the C2 server. Then, it waits for commands from the operators. Out of the 56 commands supported in total, some particularly dangerous ones include stealing saved passwords and browser data, recording keystrokes, capturing the screen, encrypting files, terminating security software, and exfiltrating specific files.
The CloudSEK researchers disrupted the botnet by utilizing hard-coded API tokens and a built-in kill switch to uninstall the malware from infected devices. They sent a mass uninstall command to all listening clients, looping through known machine IDs extracted from Telegram logs. Although this removed the malware from many machines, those not online when the command was issued remain compromised.
Some uninstall commands may have also been lost due to Telegram’s rate limiting. Hackers hacking hackers is a common scenario seen in the wild. The takeaway is never to trust unsigned software, especially those distributed by other cybercriminals, and only install malware builders on testing or analysis environments.
