In a recent cyber attack, more than 18 thousand unskilled hackers fell victim to a malicious software builder known as XWorm RAT. This attack specifically targeted inexperienced hackers, referred to as script kiddies, who are not well-versed in cybersecurity practices. The attackers behind XWorm RAT provided these hackers with a backdoor tool that could steal data and take control of their infected computers.
According to the research conducted by CloudSEK, a cybersecurity firm, the XWorm RAT malware has infected a total of 18,459 devices globally. The majority of these infected devices are located in countries such as Russia, the United States, India, Ukraine, and Turkey. While a switch was activated to neutralize the malware on many of the infected machines, practical limitations prevented all devices from being secured, leaving some compromised.
The report from CloudSEK highlighted that XWorm RAT was designed specifically for script kiddies who often rely on tools and guides found online without fully understanding the risks. The malware spread through various channels including GitHub repositories, file hosting platforms, Telegram channels, YouTube, and websites, where it was advertised as a tool for free malicious software use.
Once a computer is infected with XWorm RAT, the malware first checks the Windows registry to determine if the system is running in a virtualized environment. If certain criteria are met, the malware makes changes to the registry to ensure it remains active even after a system restart. Each infected system is then registered on a Telegram-based control server, where it transmits stolen data such as Discord tokens, system information, and location data to the operators.
The operators of XWorm RAT have the ability to send commands to the infected devices, with the malware understanding 56 different commands. Some of the most dangerous commands include stealing browser data, capturing screens, recording keystrokes, encrypting files, terminating processes, and extracting files from the infected system.
In response to this cyber attack, researchers at CloudSEK took action to disrupt the botnet operation by sending mass deletion commands to all known machine identifiers extracted from Telegram logs. While this led to the removal of XWorm RAT from many infected devices, those that were offline at the time of the command transmission remain compromised. Additionally, limitations in Telegram’s messaging system may have resulted in some deletion commands being lost during transmission.
Overall, this sophisticated cyber attack highlights the ongoing threats posed by malicious actors in the digital landscape, especially towards individuals with limited cybersecurity knowledge. It serves as a reminder of the importance of staying vigilant and implementing robust security measures to protect against such threats.