Hacker Infects 18,000 "Script Kiddies" with Fake Malware Builder

A hacker has successfully targeted low-skilled hackers, commonly referred to as "script kiddies" by spreading a fake malware builder that secretly installed a backdoor to compromise their devices. This operation, aimed at exploiting the lack of experience among novice cybercriminals, has infected over 18,000 devices worldwide.

Global Infection Campaign

The attack was uncovered by security researchers at CloudSEK, who reported that 18,459 devices were infected globally. The majority of compromised machines were located in Russia, the United States, India, Ukraine, and Turkey. The operation’s reach highlights how widespread and effective the campaign has been, leveraging the inexperience of its victims.

A trojanized version of the XWorm RAT builder has been weaponized and propagated,” CloudSEK noted in their report. “It is targeted specifically towards script kiddies who are new to cybersecurity and directly download tools mentioned in various tutorials. This incident underscores the saying that there is no honor among thieves.

Interestingly, the malicious builder included a kill switch, which the attackers activated to uninstall the malware from a number of infected systems. However, practical limitations left many machines compromised.

Fake RAT Builder Distributes Malware

The attack began with a Trojanized version of the XWorm RAT (Remote Access Trojan) builder. This fake tool was promoted across several channels, including:

GitHub repositories

File hosting platforms

Telegram channels

YouTube videos

Various websites

These sources lured users with promises of free access to the XWorm RAT builder, a tool that would allow them to create and deploy their own malware without needing to pay for it. Instead, the downloaded builder infected the victims' devices with a malicious payload. Once executed, the malware performed a series of checks to determine if it was running in a virtualized environment often used by researchers to analyze malware. If the checks indicated a virtual machine, the malware would terminate itself to avoid detection. On genuine devices, however, it made registry modifications to ensure persistence and then registered the infected system with a Telegram-based command-and-control (C2) server.

Malware Capabilities

The malware was programmed to steal sensitive data and perform a range of malicious activities on infected systems. Upon infection, the malware would exfiltrate:

• Discord tokens
• System information
• Location data (derived from the device's IP address)
• The stolen data was sent back to the hacker’s C2 server. Additionally, the malware operators could issue remote commands to the infected devices. Of the 56 supported commands, some of the most dangerous included:
• Stealing saved passwords, cookies, and autofill data from browsers.
• Logging keystrokes to capture everything typed by the victim.
• Taking screenshots of the victim's desktop.
• Encrypting files on the victim's system using a provided password, essentially functioning as ransomware.
• Killing specific processes, including antivirus software or other security tools.
• Uploading files from the infected system to the attacker’s server.
• Uninstalling itself from the victim’s device upon command.
• CloudSEK noted that approximately 11% of infected systems had data exfiltrated, with stolen browser data and screenshots being the primary targets.

Researcher's Intervention with Kill Switch

Using their expertise, CloudSEK researchers were able to disrupt the botnet by exploiting the hardcoded API tokens and the malware’s built-in kill switch. They sent mass uninstall commands to all active infected devices, using previously extracted machine IDs from Telegram logs. Additionally, they brute-forced machine IDs in a simple numeric sequence from 1 to 9999, targeting as many devices as possible.

Despite these efforts, some challenges remained. Devices that were offline during the mass uninstall process remained compromised. Moreover, Telegram imposes rate limits on messages, meaning some uninstall commands might not have reached their targets.

Hacking Hackers: A Common Scenario

This isn’t the first time hackers have targeted other hackers. The cybersecurity world has seen similar instances where malicious actors exploit each other’s tools or trust within underground communities. For instance, fake tools like keyloggers, password crackers, or RAT builders are frequently seeded with malware to hijack the machines of unsuspecting users.

Lessons Learned

The findings from CloudSEK emphasize the risks of downloading and running unsigned or unverified software, especially within the cybercriminal ecosystem.

Key takeaways from this incident include:

• Trust No One: Unsigned software, particularly those distributed in tutorials or shady forums, should never be trusted. Cybercriminals frequently exploit the naivety of newcomers in the hacking community.
• Sandbox First: Malware builders or similar tools should only ever be tested in isolated or sandbox environments to prevent collateral damage to personal or business devices.
• Cybersecurity Basics Apply to All: Even those in the hacking community need to practice safe cybersecurity habits, as this incident demonstrates that attackers are just as willing to exploit each other as they are their victims.

Conclusion

The trojanized XWorm RAT builder incident serves as a cautionary tale for "script kiddies" and low-skilled hackers. It not only highlights the risks of engaging in illegal activities but also demonstrates the vulnerability of those who underestimate the sophistication of threat actors in the cybersecurity world. As the saying goes, there is truly no honor among thieves.