A hacker infected nearly 18,500 devices belonging to script kiddies, with a fake malware builder designed to secretly install a backdoor, steal sensitive data, and hijack computers.
Security researchers at CloudSEK recently uncovered the attack and revealed that the malware spread globally, with most infections occurring in Russia, the United States, India, Ukraine, and Turkey. The report shows that the attacker weaponized and disseminated a trojanized version of the XWorm RAT builder, primarily targeting beginners in cybersecurity.
CloudSEK’s findings explain that these low-level hackers fell for the promise of a free malware builder, which they could use without paying for it. However, instead of the claimed XWorm RAT builder, they unknowingly downloaded malware that compromised their systems.
Fake RAT Builder: The Bait for Infections
The attackers spread the trojanized XWorm RAT builder across various platforms, such as GitHub repositories, file-sharing sites, Telegram channels, YouTube tutorials, and websites. After downloading the malware, it checked the Windows Registry to verify whether the infected system was running in a virtualized environment. If the system passed this test, the malware modified the Registry to ensure it remained active and persistent, even after a reboot.
Once the malware gained a foothold, it connected the infected device to a Telegram-based command and control (C2) server using a hardcoded Telegram bot ID and token. It then gathered sensitive information from the victim’s system, including Discord tokens, system specs, and location data (derived from the IP address), all of which it sent back to the C2 server.
The XWorm malware is equipped with 56 commands, many of which present severe risks to the compromised systems. Among the most concerning commands are:
/machine_id*browsers– Steals saved passwords, cookies, and autofill data from web browsers/machine_id*keylogger– Records every keystroke made on the infected computer/machine_id*desktop– Captures screenshots of the victim’s active screen/machine_idencrypt– Encrypts all files on the system using a specified password/machine_idprocesskill– Kills specific running processes, including security software/machine_idupload– Exfiltrates specific files from the system/machine_id*uninstall– Uninstalls the malware from the infected device
Researchers found that the attackers successfully exfiltrated data from around 11% of the compromised machines, primarily through screenshots and browser data theft.
Disrupting the Attack with a Kill Switch
CloudSEK researchers took action to disrupt the botnet by leveraging the malware’s hardcoded API tokens and a built-in kill switch. This allowed them to send a mass uninstall command to the affected devices, attempting to remove the malware. By extracting machine IDs from Telegram logs and brute-forcing other IDs, they targeted nearly all of the infected devices.
Although this process removed the malware from many systems, it didn’t reach all devices. Devices that were offline during the command’s execution stayed compromised. Additionally, Telegram’s rate-limiting caused some uninstall commands to be lost in transit.
Conclusion
This event highlights the importance of thoroughly understanding cybersecurity tools before using them. Relying on unverified or malicious tools can be extremely risky, especially when copying tools without testing them in a controlled environment.
It’s a reminder that even the attackers themselves can fall victim to their own weapons. If you’d like to learn more, we’ve written an article on this topic that you can check out here.
