Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices

A recent cybersecurity attack involving a Trojanized version of the XWorm Remote Access Trojan (RAT) builder has compromised over 18,000 devices worldwide.

This sophisticated malware, primarily distributed via GitHub repositories, Telegram channels, and other platforms, has targeted cybersecurity novices, also known as “script kiddies,” who unknowingly downloaded malicious tools.

Trojanized XWorm RAT Builder Exploits Over 18,000 Devices Globally

The malware has infiltrated devices in Russia, the United States, India, Ukraine, and Turkey, with the primary goal of exfiltrating sensitive data and maintaining long-term control over infected machines.

Using Telegram as its command-and-control (C&C) infrastructure, the malware provides attackers with the ability to exfiltrate browser credentials, Discord tokens, system information, and more.

In addition, it employs advanced virtualization checks to evade detection in virtualized environments and manipulates Windows Registry entries for persistence.

Its capabilities extend to issuing malicious commands, including encrypting files, stealing data, and even invoking a “Blue Screen of Death” (BSOD) on victim systems.

Disruption Efforts Leverage Malware’s Own Kill Switch

Researchers investigating the malware successfully leveraged its built-in uninstall command to neutralize the botnet controlling thousands of infected machines.

By exploiting Telegram communications, they sent uninstall commands en masse to active devices.

However, this approach was constrained by certain limitations, including offline machines and Telegram’s rate-limiting functionalities.

Machines not online at the time of the command burst remain infected, highlighting the challenges in fully eradicating such a widespread malware campaign.

The malware’s architecture revealed hardcoded Telegram bot IDs and tokens, which were instrumental in its operation.

Data analysis showed that over 1 GB of browser credentials and thousands of screenshots and Discord tokens had been exfiltrated.

Attribution efforts traced the threat actors to aliases such as “@shinyenigma” and “@milleniumrat,” linked to GitHub accounts and a ProtonMail address.

Experts at CloudSek emphasize the importance of proactive defense measures to mitigate future attacks of this scale.

Deploying Endpoint Detection and Response (EDR) solutions and monitoring network traffic for communication with malicious C&C servers are critical first steps.

Organizations are also advised to block known Indicators of Compromise (IoCs), such as infected GitHub repositories and Telegram channels, while enforcing stricter application whitelisting policies.

Educating employees about the risks of unauthorized downloads and malicious tools is another vital mitigation strategy.

Additionally, removing persistent malware requires deep system scans alongside manual cleanup of registry entries and startup scripts.

Collaborative efforts with law enforcement and platform providers like GitHub and Telegram are essential to dismantling malicious infrastructure and holding threat actors accountable.

The Trojanized XWorm RAT builder demonstrates the escalating sophistication of modern malware campaigns, emphasizing the need for continuous vigilance, advanced cybersecurity tools, and proactive education.

By targeting inexperienced users with malicious tools disguised as helpful utilities, attackers capitalized on trust to initiate widespread breaches.

Moving forward, concerted efforts in threat intelligence sharing, rapid response, and robust system security will be paramount in combating such advanced threats.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free