XWorm RAT Builder Targets Script Kiddies

Security researchers discovered a version of the XWorm remote access trojan (RAT) builder designed to target new and inexperienced hackers. The builder is being promoted on various Telegram and YouTube channels aimed at low-level hackers and individuals new to cybersecurity. The builder appears to be available to download on GitHub repositories and file-sharing services like Mega and Upload.ee, however, the file is actually malware used to steal the victims’ data, system information, and credentials.
 

What’s Notable and Unique

• Researchers were able to access the data set exfiltrated by the malware and found that it had infected over 18,000 devices, stealing data and credentials from over 2,000 of them.
• From the data set, researchers were also able to identify the countries where the infected devices are located, providing insight into the geolocation of the individuals who thought they were downloading the XWorm RAT builder. Although Russia and the United States had the most infected devices, India, Ukraine, Turkey, Thailand, and Germany all had at least 500 victims of the trojanized builder.

Analyst Comments

While the idea of targeting entry-level hackers with a trojanized builder may seem like poetic justice, the data set recovered by security researchers revealed the alarming number of individuals worldwide interested in engaging in malicious cyber activity. The ever-growing accessibility of information and emerging technologies like AI continue to lower the barrier of entry into cybercrime. Although the focus is typically on threats from the larger ransomware and extortion groups, less-skilled cybercriminals can still cause substantial financial damage and business disruption to the organizations they target. Additionally, the geographic diversity of the infected devices reflects the global threat of cybercrime.

Sources

No Honour Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations