An unknown attacker targeted inexperienced hackers, known as script kiddies. With XWorm RAT, they received a backdoor capable of stealing data and controlling the infected computer.
Researchers from CloudSEK report that the program has infected 18,459 devices worldwide, mostly located in Russia, the United States, India, Ukraine, and Turkey. The software has a switch that was activated to neutralize it on many infected machines, but due to practical limitations, some remain compromised.
“It is specifically designed for script kiddies who are unfamiliar with cybersecurity and directly download and use tools mentioned in various guides,” — states the report.
Researchers recently discovered a Trojanized XWorm RAT builder that spreads through various channels, including GitHub repositories, file hosting platforms, Telegram channels, YouTube, and websites. The mentioned sources advertised the RAT builder, stating that it allows the free use of malicious software.
After infecting a computer, XWorm checks the Windows registry for signs that the OS is operating in a virtualized environment and stops working if the results are positive. If the host meets the requirements for infection, the malicious software makes the necessary changes in the registry to ensure operation after the system restarts.
Each infected system is registered on a Telegram-based control server using a hard-coded identifier and Telegram bot token. The malicious software also automatically steals Discord tokens, system information, and location data (from the IP address) and transmits them to the server, after which it waits for commands from operators. The program “understands” 56 commands, particularly dangerous are the following:
- /machine_id*browsers — steals saved passwords, cookies, and autofill data from web browsers
- /machine_id*keylogger – records everything the victim types on their computer
- /machine_id*desktop – captures the victim’s active screen
- /machine_id*encrypt*<password> — encrypts all files in the system using the provided password
- /machine_id*processkill*<process> — terminates certain running processes, including security software
- /machine_id*upload*<file> – Extract certain files from the infected system
- /machine_id*uninstall – remove the malicious software from the device
At CloudSEK, it was discovered that the malware operators stole data from approximately 11% of infected devices, mainly through screenshots and browser data usage. Researchers disrupted the botnet’s operation using hard-coded API tokens and an embedded switch. They sent a mass deletion command to all “clients” on all known machine identifiers previously extracted from Telegram logs.
Although these actions led to the removal of XWorm RAT from many infected machines, those that were not online at the time the commands arrived remain infected. Additionally, Telegram limits the number of messages, so some deletion commands may have been lost during transmission.
Source: Bleeping Computers
Spelling error report
The following text will be sent to our editors: