18,000 Script Kiddies Infected by XWorm RAT Backdoor via Malicious Builder
Security analysts at CloudSEK have discovered that cybercriminals are targeting low-skilled hackers using a fake malware builder. The systems of these so-called script kiddies are being infected with a backdoor, which is then used to steal data and take over their computers. A total of 18,459 devices worldwide have been affected, with most located in Russia, the United States, India, Ukraine, and Turkey.
“A malicious version of the XWorm RAT builder has been turned into an attack tool and is being distributed,” CloudSEK reports. “It targets script kiddies, beginners in cybersecurity who directly download and use tools mentioned in various guides, once again proving that there is no honor among thieves.”
Researchers note that the malware includes a “kill switch” that has already been activated to remove the malware from many infected machines. However, due to several limitations, many systems remain compromised.
The infected builder was spread through various channels, including GitHub repositories, file-sharing platforms, Telegram channels, YouTube videos, and different websites. In all these sources, the XWorm RAT builder was advertised as a free tool, with claims that no payment was required for this malware.
In reality, the builder itself contained malware that checked the Windows registry for signs of a virtualized environment and would stop running if one was detected. If the host met the infection criteria, the malware made the necessary registry changes to establish persistence on the system. Each infected machine was registered with a command-and-control server on Telegram using a hardcoded identifier and Telegram bot token.
The malware then stole Discord tokens, system information, and location data (via IP address) from the would-be hacker’s machine, sending it to the attackers’ server. Afterward, the malware waited for further commands from its operators.
In total, the backdoor supports 56 commands, but researchers identified the following as the most dangerous:
- /machine_id*browsers — Steals saved passwords, cookies, and autofill data from browsers
- /machine_id*keylogger — Records everything the victim types on their keyboard
- /machine_id*desktop — Captures screenshots of the victim’s screen
- /machine_id*encrypt*<password> — Encrypts all files on the system using the provided password
- /machine_id*processkill*<process> — Terminates specific processes, including security software
- /machine_id*upload*<file> — Downloads specific files from the infected system
- /machine_id*uninstall — Removes the malware from the device
Screenshot taken by the malware
CloudSEK notes that the malware operators stole data from about 11% of infected devices, mainly by taking screenshots and stealing browser information.
The company’s specialists attempted to dismantle the botnet using the hardcoded API tokens and the built-in kill switch designed to remove the malware from infected devices. They sent the uninstall command to all clients by cycling through all known infected machine IDs extracted from Telegram logs. Researchers also brute-forced IDs from 1 to 9999, assuming the attackers might have used a simple numeric pattern.
Command to remove the malware
Although this led to the removal of the backdoor from many infected systems, machines that were offline at the time the command was sent remained compromised. Additionally, due to Telegram’s message delivery limitations, some uninstall commands may have been lost in transit.
CloudSEK experts conclude that hackers regularly target other hackers. Therefore, you should never trust unsigned software, especially if it’s distributed by cybercriminals, and only work with malware builders in test and analysis environments.