Hacker Targets Script Kiddies with Fake Malware Builder

A threat actor has targeted low-skilled hackers, colloquially known as “script kiddies,” by distributing a fake malware builder that secretly infected their systems with a backdoor to steal data and take control of computers.

Widespread Infections

Security researchers at CloudSEK report that the malware affected 18,459 devices worldwide, with the majority being in Russia, the United States, India, Ukraine, and Turkey. The malicious tool, a trojanized version of the XWorm RAT builder, was specifically aimed at “script kiddies” who are inexperienced in cybersecurity and often use tools from online tutorials, highlighting the lack of honor among thieves.

Malware Distribution Tactics

The researchers identified that the Trojanized builder was distributed through various channels, including GitHub repositories, file hosting platforms, Telegram channels, YouTube videos, and websites. These sources misleadingly promoted the builder as a free tool for other threat actors to use, while in reality, it infected the users’ devices with malicious software.

Infection Mechanics

Upon infection, the malware checks the system’s Windows Registry for a virtual environment and refrains from action if detected. For suitable hosts, it makes Registry modifications to ensure persistence and connects to a Telegram-based command and control server using hardcoded credentials.

Data Theft and Commands

The malware automatically steals Discord tokens, system information, and location data, waiting for further instructions from the operators. It supports 56 commands, some particularly dangerous, such as stealing browser data, recording keystrokes, capturing screens, encrypting files, terminating processes, and uninstalling itself.

Malware Disruption

CloudSEK researchers managed to disrupt the botnet using hardcoded API tokens and a kill switch embedded in the malware. By sending a mass uninstall command to all connected clients, they removed the malware from many devices, though some remained compromised due to being offline during the command issuance or due to Telegram’s rate limiting affecting message delivery.

Conclusion

This incident underscores the common phenomenon of hackers targeting other hackers. The key takeaway from CloudSEK’s findings is the importance of avoiding unsigned software, particularly those distributed by cybercriminals, and the necessity of using malware builders only in testing environments.

Related Articles

  • Raccoon Stealer malware operator gets 5 years in prison after guilty plea
  • Russian hackers hijack Pakistani hackers’ servers for their own attacks
  • Hundreds of fake Reddit sites push Lumma Stealer malware
  • Telegram captcha tricks you into running malicious PowerShell scripts
  • Fake Homebrew Google ads target Mac users with malware