Hacker Dupes Script Kiddies with Fake Malware Builder, here is a quick look at what to know

A hacker recently targeted low-skilled hackers, known as “script kiddies,” with a fake malware builder. This malware secretly infected their devices with a backdoor to steal data and take over their computers.

Scope of Infection

Security researchers at CloudSEK reported that the malware infected 18,459 devices globally, with most of them located in Russia, the United States, India, Ukraine, and Turkey.

Propagation Channels

The malware, a trojanized version of the XWorm RAT builder, was propagated through various channels, including GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites. These sources promoted the RAT builder, claiming it would allow other threat actors to use the malware without having to pay for it. However, instead of being an actual builder for the XWorm RAT, it infected the threat actor’s devices with the malware.

Infection Process

Once a machine is infected, the XWorm malware checks the Windows Registry for signs it is running on a virtualized environment and stops if the results are positive. If the host qualifies for infection, the malware performs the required Registry modifications to ensure persistence between system boots. Every infected system is registered to a Telegram-based command and control (C2) server using a hardcoded Telegram bot ID and token.

Data Theft and Command Execution

The malware also automatically steals Discord tokens, system information, and location data (from IP address), and exfiltrates it to the C2 server. Then, it waits for commands from the operators. Out of the 56 commands supported in total, the following are particularly dangerous: grabbing browser data, keylogging, taking screenshots, encrypting user files, killing processes, uploading files, and uninstalling the RAT from the victim’s PC.

Disruption Efforts by CloudSEK

CloudSEK researchers disrupted the botnet by utilizing hard-coded API tokens and a built-in kill switch to uninstall the malware from infected devices. They sent a mass uninstall command to all listening clients, looping through all known machine IDs they had previously extracted from Telegram logs. They also brute-forced machine IDs from 1 to 9999, assuming a simple numeric pattern. Although this caused the malware to be removed from many of the infected machines, those not online when the command was issued remain compromised.

Key Takeaway

The takeaway from CloudSEK’s findings is never to trust unsigned software, especially those distributed by other cybercriminals, and only install malware builders on testing/analysis environments. This incident highlights the importance of cybersecurity vigilance and the dangers of downloading tools from untrusted sources.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it