Security Intelligence
Loading table of contents...
A seasoned threat actor has taken advantage of nearly 20,000 aspiring hackers, known as script kiddies, to covertly infect them with the XWorm Remote Access Tool (RAT).
The attack began by promoting what was described as a free version of the XWorm RAT builder, which could be downloaded via multiple platforms such as GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites. However, instead of being an actual XWorm builder, it turned out to just be the RAT itself.
The XWorm RAT was configured to automatically collect Discord tokens, system information, and location data (from IP address), and then exfiltrate this data to its Telegram-based C2 server. Then, it was instructed to wait for further commands sent by the threat actor.
The XWorm RAT is capable of 56 functions, the most dangerous of which includes its ability to capture credentials, cookies, and autofill data from browsers as well as keylogging and screen capture. XWorm is also capable of encrypting all the files on the infected system using a provided password which effectively makes it a ransomware.
During the cybersecurity researcher’s investigation into this campaign, they discovered a built-in kill switch that they used to uninstall the RAT from as many infected hosts as possible.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The XWorm RAT is capable of 56 functions, the most dangerous of which includes its ability to capture credentials, cookies, and autofill data from browsers as well as keylogging and screen capture. XWorm is also capable of encrypting all the files on the infected system using a provided password which effectively makes it a ransomware.
During the cybersecurity researcher’s investigation into this campaign, they discovered a built-in kill switch that they used to uninstall the RAT from as many infected hosts as possible.
Source: Bleeping Computer
Analysis
This attack demonstrates how all users, even script kiddies, must be careful when downloading alleged software, especially hacking tools, from untrusted platforms as this is a well-known attack vector used by threat actors for various malicious purposes. Cybercriminals often target other criminals, exploiting the same weaknesses they rely on to attack regular users.
This type of targeting has also been observed at the nation-state level. For example, in 2023, APT41, a Chinese state-sponsored cyber actor, reportedly targeted cybercriminal forums, hacking rival threat actors to collect information about their activities and tools. This type of behaviour was also observed in 2022 when the Iranian APT group, known as MuddyWater, breached Russian cybercriminal organizations to gather intelligence.
Mitigation
Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related to RATs and other potentially malicious tools. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
