The discovery of a Trojan disguised as software to help low-skill hackers build XWorm RAT malware indicates the maturity and complexity of the thriving cybercrime economy—and it reminds us that there’s no honor among thieves.
Imagine that you are an ambitious young wannabe hacker. You’re no expert coder. Instead, you’ve found your way to the dark web’s marketplace for cybercrime tools and services. There, you’re like a kid in a candy shop. For very reasonable prices, you can buy or rent paint-by-numbers software that makes it easy to build and deploy a cyberattack. A small extra fee adds 24-hour technical support.
Ransomware-as-a-Service (RaaS) and Phishing-as-a-Service (PhaaS) make it even easier—and their use is rising steadily. Back in August 2023, Interpol took down one PhaaS operation that had 70,000 active customers.
Trust issues
The problem for our hypothetical young hacker—one of a type known as “script kiddies”—is that everyone they deal with in that marketplace is basically a criminal. Which raises potential questions about who can be trusted.
Well, last month 18,000 script kiddies discovered what happens when trust is misplaced. They thought they were downloading a free XWorm RAT builder—software to automate the production of a cyber threat.
Instead, what they installed in their systems was malware that created a backdoor to let threat actors control their Windows computers.
How it worked
Once a system was infected, it was registered to a Telegram-based command-and-control server.
The malware automatically steals and exfiltrates Discord tokens, system information, and location data.
Once connected to the server, threat actors can issue commands including stealing saved passwords and browser data, recording keystrokes, capturing the screen, encrypting files, terminating security software, and exfiltrating specific files.
Threat researchers who discovered the infection were able to identify and broadcast an uninstall command for the malware, which removed it from many, but not all, infected machines.
What it means
“No honor among thieves” might be the first response that comes to many of our minds. But I think the truth is a little more complicated.
Any successful marketplace, for buying and selling anything, requires a certain level of trust. There must be confidence that contracts will be honored. And by that measure, the cybercrime economy is a very reliable marketplace, where the vast majority of transactions are carried out without fraud.
But it is this very success as a reliable marketplace that is the condition for the emergence of fraud and malicious behavior. Unsophisticated buyers in any marketplace—like our script kiddies in the marketplace of malware—are too trusting, making them ripe targets for fraudsters who operate on the fringes of the marketplace, benefitting from the overall trust and reputation that the market has achieved.
“Buyer beware” is a wise attitude in any marketplace. But what the script-kiddies fake-malware-builder story tells us is that the underground cybercrime economy is a fully mature marketplace, where most cybercrooks can do business with confidence.
This article was originally published at Barracuda Blog.
Photo: feriagashi / Shutterstock
