do son 
Screenshot taken from one of the infected devices | Source: CloudSEK
A trojanized version of the XWorm Remote Access Trojan (RAT) builder has been weaponized and is being actively propagated by threat actors. According to CloudSEK‘s detailed analysis, this malicious software is targeting inexperienced cybersecurity enthusiasts, often referred to as “script kiddies,” who download and use tools from online tutorials without due diligence.
This malware campaign has had a significant impact, with over 18,459 devices compromised globally. The top victim countries include Russia, the United States, India, Ukraine, and Turkey. The malware is disseminated through multiple channels such as GitHub repositories, file-sharing platforms like Mega.nz, and Telegram channels, showcasing a sophisticated delivery mechanism. These infected devices are transformed into a botnet, allowing attackers to issue commands and exfiltrate sensitive data.
The malware is capable of stealing a wide range of information, including browser credentials, Discord tokens, Telegram data, and system information. The report notes that over 1 GB of browser credentials have already been exfiltrated.
The trojanized XWorm RAT builder boasts advanced functionalities, including:
- Virtualization checks: Ensuring it avoids detection in virtual environments.
- Registry modifications: Allowing persistence by adding entries to the Windows Registry.
- Command execution: Enabling attackers to execute a variety of malicious actions, such as grabbing screenshots, stealing files, and even invoking a Blue Screen of Death (BSOD).
This sophisticated malware also uses Telegram as its command-and-control (C&C) infrastructure, employing bot tokens and API calls for streamlined communication.
CloudSEK researchers took proactive steps to mitigate the malware’s operations by exploiting its built-in “kill switch” feature. This command, /uninstall, allows the malware to be removed from infected machines, provided certain conditions are met. By leveraging machine IDs and sending a burst of uninstall commands, the researchers were able to disrupt the botnet’s operations. However, challenges such as offline devices and Telegram’s rate-limiting mechanisms hindered complete eradication.
The operation was attributed to a threat actor using aliases like “@shinyenigma” and “@milleniumrat” across GitHub and Telegram. An email address linked to the activity, frutosall@proton.me, was identified in commit messages on repositories associated with the malware. One such repository was used to distribute the trojanized RAT builder, further solidifying the connection to the threat actor.
