A trojanized version of the XWorm RAT builder has been weaponized and disseminated primarily through GitHub and other file-sharing services, targeting novice users in cybersecurity. The malware has compromised over 18,459 devices globally, exfiltrating sensitive data and utilizing Telegram for command-and-control operations. Disruption efforts have been made to mitigate its impact, but challenges remain due to offline devices and rate-limiting on Telegram. Affected: GitHub, Telegram, various file-sharing services
Keypoints :
- Trojanized XWorm RAT builder specifically targets novice cybersecurity users.
- Malware spread mainly through GitHub repositories and file-sharing services.
- Over 18,459 devices compromised, with significant data exfiltration capabilities.
- Utilizes Telegram as its command-and-control infrastructure.
- Features include virtualization checks, registry modifications, and extensive command execution.
- Disruption efforts targeted the botnet using the malware’s uninstall command.
- Attribution linked the operation to threat actors using aliases and specific email addresses.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Utilizes Telegram API for command and control.
- T1070.004 – Indicator Removal on Host: Modifies registry entries for persistence.
- T1041 – Exfiltration Over Command and Control Channel: Exfiltrates data via Telegram.
- T1083 – File and Directory Discovery: Gathers system information and browser data.
- T1056.001 – Input Capture: Implements keylogging functionality.
Indicator of Compromise :
- [file name] Command Receiver.exe
- [file name] XHVNC.exe
- [file name] XWorm RAT V2.1.exe
- [file name] extractor.exe
- [url] api.telegram.org
- Check the article for all found IoCs.