No Honor Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations

Jan. 27, 2025, 2:55 p.m.

Description

A trojanized version of the XWorm RAT builder has been weaponized and propagated, targeting novice cybersecurity enthusiasts. The malware, spread through GitHub, Telegram, and file-sharing platforms, has compromised over 18,459 devices globally. It exfiltrates sensitive data like browser credentials, Discord tokens, and system information, employing advanced techniques such as virtualization checks and registry modifications. The malware uses Telegram as its command-and-control infrastructure, leveraging bot tokens and API calls. Analysis revealed over 1 GB of browser credentials exfiltrated from multiple devices. Researchers identified a "kill switch" feature, which was used to disrupt active devices. Attribution efforts linked the operation to a threat actor using aliases like "@shinyenigma" and "@milleniumrat".

External References

https://www.cloudsek.com/blog/no-honour-among-thieves-uncovering-a-trojanized-xworm-rat-builder-propagated-by-threat-actors-and-disrupting-its-operations
https://otx.alienvault.com/pulse/6797970474524900d9e81275
Tags
2025-01-27
xworm rat

Date

  • Created: Jan. 27, 2025, 2:24 p.m.
  • Published: Jan. 27, 2025, 2:24 p.m.
  • Modified: Jan. 27, 2025, 2:55 p.m.

Indicators

  • e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
  • aa8f8d093a10f1b25cb99ac059f30f056d2bb5924114a00a02cf83b0de04fae3
  • 67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
Download all indicators here!

Attack Patterns

  • XWorm RAT

Additional Informations

  • British Indian Ocean Territory
  • India
  • Ukraine
  • Russian Federation