In a plot twist that sounds like it’s straight out of a cyber thriller, a threat actor has been spreading a fake malware builder—a Trojanized version of the XWorm RAT—aimed specifically at those eager but inexperienced hackers looking to make their mark. According to CloudSEK, this sneaky scheme managed to infect a whopping 18,459 devices around the globe, with hotspots in Russia, the U.S., India, Ukraine, and Turkey.
“It’s targeted specially towards script kiddies who are new to cybersecurity,” highlighting the irony of these wannabe hackers falling victim to the very tools they sought to wield.
How the Infection Spread
The malware was distributed through various channels — GitHub repositories, file hosting sites, Telegram channels, YouTube videos, and even sketchy websites. These sources promised a free ride to hacking glory, allowing users to utilize malware without spending a dime. Little did they know they were signing up for a one-way ticket to compromise!
Once installed, the XWorm malware performed a quick check of the Windows Registry to ensure it wasn’t running in a virtualized environment (smart move!). If the coast was clear, it made the necessary modifications to ensure it could stick around for the long haul—talk about commitment!
The Dark Side of the Command and Control
Every infected device connected to a Telegram-based command and control (C2) server using a hardcoded bot ID and token. What followed was a treasure trove of data theft, with the malware stealing Discord tokens, system info, and location data (thanks, IP address!). The operators could issue a staggering 56 commands, some of which were downright sinister:
· /machine_id*browsers – Snatch saved passwords, cookies, and autofill data.
· /machine_id*keylogger – Record every keystroke (yikes!).
· /machine_id*desktop – Capture the victim’s screen in real-time.
· /machine_idencrypt<password> – Lock down all files with a password.
· /machine_idprocesskill<process> – Terminate specific processes, including security software.
· /machine_idupload<file> – Exfiltrate files from the infected system.
· /machine_id*uninstall – Remove the malware (if you’re lucky!).
It was reported that the malware operators managed to exfiltrate data from about 11% of the infected devices, mostly capturing screenshots and browser data.
Disrupting the Botnet
But fear not! Rearchers from CloudSEK utilized hard-coded API tokens and a built-in kill switch to send a mass uninstall command to all listening clients. By looping through known IDs extracted from Telegram logs and brute-forcing IDs from 1 to 9999, they executed a mass digital takedown.
While many machines were freed from the malware’s clutches, some unfortunate souls remained compromised, especially those that were offline during the command’s delivery. Lesson learned: Telegram’s rate limiting can be a real party pooper!
Trust No One!
This saga serves as a stark reminder that in the world of hacking, trust is a rare commodity. Never trust unsigned software, especially those distributed by other cybercriminals. If you’re dabbling in malware builders, make sure to do so in a safe testing environment—your computer will thank you!
Remember, the best defense against cybercrime is knowledge!
.png)
.png)