Source URL: https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/
Source: Hacker News
Title: Hacker infects 18,000 "script kiddies" with fake malware builder
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: A recent report by CloudSEK reveals how a Trojanized version of the XWorm RAT builder was weaponized and distributed, unknowingly compromising low-skilled hackers, or “script kiddies”. This incident underscores the risks of untrustworthy software in the hacker community, particularly regarding data theft and computer takeover.
Detailed Description: The report from CloudSEK highlights a troubling trend in cybersecurity where threats are not only external but also come from within the hacking community itself. Key aspects of this incident include:
– **Targeting Low-Skilled Hackers**: The malware specifically aims at “script kiddies,” who lack advanced skills and often rely on online tools and tutorials. This highlights a paradox in the hacker community, where even aspiring criminals are at risk from malicious actors.
– **Scope of Infection**: Approximately 18,459 devices were reported infected across several countries, including Russia, the United States, India, Ukraine, and Turkey. This demonstrates the widespread nature of the threat.
– **Trojanized Malware Builder**: Rather than a legitimate RAT builder, the software functioned as a backdoor, allowing malware to infect the user’s system instead of providing the intended malicious capabilities.
– **Functionalities of XWorm Malware**:
– The malware includes capabilities to check for virtual environments, ensuring it runs only on actual machines.
– It modifies the Windows Registry for persistence.
– It registers affected devices to a Telegram-based command and control server, making it easier for attackers to issue commands.
– Dangerous functionalities include:
– **Stealing sensitive information**: Saved passwords, cookies, and other sensitive data from web browsers.
– **Keylogging**: Comprehensive recording of keystrokes.
– **Screen capturing**: Taking screenshots of the victim’s desktop.
– **File encryption**: Encrypting files on the system with a provided password.
– **Process termination**: Ability to kill security processes.
– **File exfiltration**: Uploading specific files back to the attacker.
– **Data Exfiltration**: Operators were successful in exfiltrating data from about 11% of the infected devices, mainly through screenshots and browser information.
– **Responding to the Attack**: CloudSEK leveraged pre-built API tokens and a kill switch feature to disrupt the botnet. They sent uninstall commands to compromised machines, though not all were successfully cleansed due to issues like device availability and Telegram message limits.
– **Takeaway for Security Professionals**: The report encourages caution against using unsigned software. It underscores the necessity for robust testing environments for any testing tools and vigilance against false promises in the cybercriminal ecosystem.
This case exemplifies how security can be compromised not just by external threats but also by the very tools that cybercriminals believe will empower them, leading to broader security implications.