Malware targets newcomers with Trojan disguised as tool

CloudSEK has identified a cyber threat targeting novice individuals in cyber security, wherein a tampered version of the XWorm Remote Access Trojan (RAT) builder has affected over 18,000 devices worldwide.

The malware campaign takes advantage of new entrants in cybersecurity, often referred to as "script kiddies", by disguising a weaponised XWorm RAT builder as a legitimate tool. Aspiring hackers are attracted to download these resources, which are made available through platforms like GitHub, Telegram, and various file-sharing channels.

This potent RAT builder provides cybercriminals the capability to deploy a Trojan with sophisticated functionalities such as data theft, system manipulation, and the complete remote operation of infected devices.

CloudSEK's investigation uncovered that 18,459 devices have been compromised globally, with significant impacts observed in countries including Russia, the United States, India, Ukraine, and Turkey. The attackers have extracted sensitive information such as browser credentials, Discord tokens, and Telegram-related data. Additionally, they have gained control over these systems using a range of integrated commands.

The malware utilises Telegram bots for executing its operations efficiently, allowing streamlined data exfiltration and command management.

CloudSEK's team discovered a "kill switch" hidden within the malware that has allowed partial interference of its botnet activity by sending uninstall instructions to infected systems.

Vikas Kundu, Threat Intelligence Researcher at CloudSEK, stated, "This shows how cybercriminals are targeting newcomers in cybersecurity. With over 18,000 infections and sensitive data being stolen globally, this is a wake-up call for everyone to be cautious about where they download tools. The way attackers use platforms like Telegram for their operations shows how easily available tools can be misused."

Kundu further noted the discovery of the hidden kill switch was instrumental in disrupting the botnet's operations on numerous devices. "It also highlighted the sophistication of the threat actors behind it. Their ability to manipulate widely used platforms like Telegram for command-and-control operations highlights how quickly cyber threats evolve," he added.

CloudSEK's analysis pointed out that over 1 GB of browser credentials had been exfiltrated, including 4,991 screenshots and 2,222 zip files laden with sensitive data. The malware's "kill switch" was effectual in disrupting certain operations on active devices.

Attribution of the attack ties back to threat actors using handles like "@shinyenigma" and "@milleniumrat" on Telegram, with related GitHub accounts and the ProtonMail address "frutosall@proton.me" suggesting their role in distributing the compromised software.

CloudSEK has recommended deploying advanced Endpoint Detection and Response (EDR) systems for detecting unapproved activities. Monitoring network communications to prevent connections with malicious Telegram bots and segregating infected machines to halt the spread is advised. Additionally, it is essential to educate users on the hazards associated with downloading software from unverified sources and enforce stringent application whitelisting policies.

The firm emphasises that collaboration with law enforcement and platforms like GitHub and Telegram is crucial in dismantling such operations effectively.