Analysis of the Persistent Xtreme RAT Attack on Foreign Governments

Xtreme Rat is a readily available remote access trojan (RAT) founded in 2010 by the hacker named xtremecoder and written on Delphi platform. XTRAT is free to download and use. The source code can also be obtained for a price. This was used to attack on various sectors like corporate, government and finance and in the year of 2012 it was vastly prevalent in the regions of the middle east and North Africa (abbreviated as MENA). Financial industries in US and European government agencies were also being targeted.

Few of which include Israel and Palestine surveillance, BBC( British Broadcasting Corporation), and many other European government institutions.

XtremeRAT first received widespread attention when attackers used this malware to attack Palestinian and Israeli victims. In 2012, Israeli authorities had to shut down Internet access for its police force (Krebs, 2012) because of the XRAT attack. A research team from antivirus vendor Trend Micro found out that in this incident, Israeli police force received several emails with .RAR attachments to various addresses sent by the attackers.

Get quality help now

KarrieWrites

Verified writer

Proficient in: Digital Era

5 (339)

“ KarrieWrites did such a phenomenal job on this assignment! He completed it prior to its deadline and was thorough and informative. ”

+84 relevant experts are online

Hire writer

The email attachment contained Word document and when people ran that Word file, XtremeRAT installed itself and opened a decoy document with a news report about a Palestinian missile attack (Constantin, 2012). XtremeRAT have been used by different groups and against various different targets around the globe. Therefore, it is very difficult to establish the motive and identify the attack group (Sylvander, 2015).

We had previous knowledge on cyber incidents but none of us knew much about XtremeRAT in specific. Trend Micro senior threat research Nart Villeneuve mentioned that although majority of the emails containing XtreamRAT malware was sent to the Government of Israel at ‘mfa.

gov.il (Israeli Ministry of Foreign Affairs), ‘idf.gov.il (Israeli Ministry of Defense), a noticeable amount of emails were also sent to the U.S. Government at ‘state.gov’ (U.S. Department of State), ‘senate.gov’ (U.S. Senate) and ‘house.gov’ (U.S. House of Representatives). The target list also included fco.gov.uk (British Foreign & Commonwealth Office) and ‘mfa.gov.tr (Turkish Ministry of Foreign Affairs and addresses from government institutions in Slovenia, Macedonia, New Zealand and Latvia (Constantin, 2012). In an attempt to disinfect the trojan from the systems, the Israeli police department took down the complete network after the XTRAT malware attack. There was no official statement on the amount of loss incurred or how much of the network was compromised.

How the attack works

In simple terms, it is a client server based model where the targeted workstation would be the client and the server is the actual malware element that inhabits the workstation which therefore is operated by the hacker/cybercriminal via remote shell. In cyber terms the client-server is also referred as ‘Remote terminal’ and ‘backdoor’ respectively. This backdoor generally contains the configuration specifics being referenced by the attacker and is written to the disk in the encrypted form which could contain details such as the location of the directory where this backdoor file is installed, or particulars related to FTP , and this configuration file has an extension of .cfg or nfo based on the version used. The attacker uses Remote command and control (CnC) structure to communicate with the Victims machine.

Xtreme Rat is compatible with most of the Windows versions and the activities/attacks that it can do to a remote system are endless, where some of them are stealing sensitive data, passwords from the browsers cache, keylogging, executing malicious software, gaining access to the webcam, microphone and seize audio using simple social engineering traps such as using different domain or file names and spear phishing. The motivation behind the attacks is not always just to cause damage to that entity but could also be for political reasons and the attackers generally tend to target IT workforce rather than the regular employees so they could have more privileges and access inside the organizations network.