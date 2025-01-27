Malware, Threat Intelligence

XWorm RAT builder leveraged for widespread device compromise

Hackread reports that more than 18,459 devices around the world had sensitive data, including Discord tokens, browser credentials, and system details, stolen in intrusions involving script kiddie exploitation through a trojanized XWorm RAT builder.

Amateur threat actors have been targeted by the attacker using the "@shinyenigma" and "milleniumrat" aliases with the altered XWorm RAT builder, which not only exfiltrates data via Telegram bot tokens and API calls but also enables registry modification and virtualization checks, according to an analysis from CloudSEK. "This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution," said the report, which also noted that offline devices and rate limiters employed by Telegram hindered the total disruption of the malware using a kill switch. Such findings come after XWorm was reported by Ukraine's State Service of Special Communications and Information Protection to have been leveraged by Russian hackers in Ukraine-targeted attacks during the first six months of 2024.

Attacks by Gamaredon copycat target Russia

Intrusions by Gama Copy also closely resembled those of the advanced persistent threat operation Core Werewolf with both groups' utilization of 7-ZIP self-extracting archive files for UltraVNC execution, port 443 for server connections, and the EnableDelayedExpansion command, an analysis from the Knownsec 404 Advanced Threat Intelligence team revealed.

Secondary payloads delivered via MintsLoader attacks

Oil and gas, electricity, and legal services organizations in the U.S. and Europe have been targeted with spam emails containing links that download MintsLoader either through a JavaScript file or Windows Run prompt as part of a campaign underway since earlier this month, a report from eSentire showed.

