Threat Overview

A significant cyber threat has been identified and detailed in a report published by AlienVault. The report, titled “No Honor Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations”, highlights the weaponization of a trojanized version of the XWorm RAT builder.

Threat Summary

The malware, targeted at novice cybersecurity enthusiasts, was propagated through popular platforms such as GitHub, Telegram, and file-sharing services. Over 18,459 devices worldwide have been compromised, with sensitive data like browser credentials, Discord tokens, and system information being exfiltrated.

Tactics Employed

To evade detection and maintain persistence, the malware employs advanced techniques:

• Virtualization checks to prevent analysis in virtual environments.
• Registry modifications for better infiltration.

Command-and-Control Infrastructure

The malware leverages Telegram as its command-and-control infrastructure, utilizing bot tokens and API calls.

Data Exfiltration

Over 1 GB of browser credentials has been exfiltrated from multiple devices,

Threat Actors Involved

Attribution efforts have linked the operation to a threat actor using aliases such as ‘@shinyenigma’ and ‘@milleniumrat’.

Disruption Efforts

Researchers discovered a ‘kill switch’ feature that was employed to disrupt active devices.

Recommendations

Based on this report, the following recommendations are provided:

• Increase suspicion of unknown software from unverified sources.
• Implement robust anti-malware solutions with up-to-date signatures.
• Enable virtualization checks and registry monitoring for better detection of anomalies.
• Monitor Telegram bot activity as potential command-and-control infrastructure.

Resources

Full report available at:
https://www.cloudsek.com/blog/no-honour-among-thieves-uncovering-a-trojanized-xworm-rat-builder-propagated-by-threat-actors-and-disrupting-its-operations