Hacker Infects 18,000 "Script Kiddies" With Fake Malware Builder
Summary:
A malware campaign has specifically targeted low-skilled hackers, or "script kiddies," to steal data and take control of systems. CloudSEK researchers report that a threat actor distributed a trojanized XWorm RAT builder through platforms like GitHub, file hosting sites, Telegram channels, YouTube, and various websites, promoting it as a free tool. Believing they could use the RAT builder for their own purposes, script kiddies instead fell victim to a malware injection. In total, 18,459 devices have been infected worldwide, with the majority located in Russia, the U.S., India, Ukraine, and Turkey.
According to CloudSEK, once devices are infected, the malware will check the Windows Registry to detect if it's running in a virtualized environment, halting the infection if it finds one. If the system is eligible for infection, the malware modifies the Registry to ensure persistence after reboot. Each infected device is then registered with a Telegram-based command and control (C2) server using a hardcoded bot ID and token. From here, the malware will automatically steal Discord tokens, system information, and location data, and await for further commands from the operators. In total, the malware supports 56 commands, including the the ability to steal save passwords, cookies, and autofill data from web browsers, record keystrokes, capture the victim's active screen, encrypt all files on the system, terminate specific processes (including security software), exfiltrate files, and uninstall the malware from the device.
Security Officer Comments:
The latest development highlights the opportunistic and indiscriminate approach taken by threat actors. Cybercriminals, often driven by the potential for financial gain or access to valuable data, are not concerned with the identity or status of their targets. In fact, even other cybercriminals are not immune to attacks, as shown in the latest campaign. This reflects a broader trend in which actors are willing to exploit any security gap or weakness, regardless of who is on the receiving end, as long as there is an opportunity to steal data and funds.
Suggested Corrections:
CloudSEK researchers were able to disrupt the botnet by using hard-coded API tokens and a kill switch to uninstall the malware from infected devices. They sent a mass uninstall command to all active clients, cycling through known machine IDs from Telegram logs and brute-forcing additional IDs from 1 to 9999. While this successfully removed the malware from many devices, those that were offline during the operation remained compromised.
Link(s):
https://www.bleepingcomputer.com/ne...000-script-kiddies-with-fake-malware-builder/
A malware campaign has specifically targeted low-skilled hackers, or "script kiddies," to steal data and take control of systems. CloudSEK researchers report that a threat actor distributed a trojanized XWorm RAT builder through platforms like GitHub, file hosting sites, Telegram channels, YouTube, and various websites, promoting it as a free tool. Believing they could use the RAT builder for their own purposes, script kiddies instead fell victim to a malware injection. In total, 18,459 devices have been infected worldwide, with the majority located in Russia, the U.S., India, Ukraine, and Turkey.
According to CloudSEK, once devices are infected, the malware will check the Windows Registry to detect if it's running in a virtualized environment, halting the infection if it finds one. If the system is eligible for infection, the malware modifies the Registry to ensure persistence after reboot. Each infected device is then registered with a Telegram-based command and control (C2) server using a hardcoded bot ID and token. From here, the malware will automatically steal Discord tokens, system information, and location data, and await for further commands from the operators. In total, the malware supports 56 commands, including the the ability to steal save passwords, cookies, and autofill data from web browsers, record keystrokes, capture the victim's active screen, encrypt all files on the system, terminate specific processes (including security software), exfiltrate files, and uninstall the malware from the device.
Security Officer Comments:
The latest development highlights the opportunistic and indiscriminate approach taken by threat actors. Cybercriminals, often driven by the potential for financial gain or access to valuable data, are not concerned with the identity or status of their targets. In fact, even other cybercriminals are not immune to attacks, as shown in the latest campaign. This reflects a broader trend in which actors are willing to exploit any security gap or weakness, regardless of who is on the receiving end, as long as there is an opportunity to steal data and funds.
Suggested Corrections:
CloudSEK researchers were able to disrupt the botnet by using hard-coded API tokens and a kill switch to uninstall the malware from infected devices. They sent a mass uninstall command to all active clients, cycling through known machine IDs from Telegram logs and brute-forcing additional IDs from 1 to 9999. While this successfully removed the malware from many devices, those that were offline during the operation remained compromised.
Link(s):
https://www.bleepingcomputer.com/ne...000-script-kiddies-with-fake-malware-builder/