Xtreme RAT Targets Governments

Monday, January 27, 2014 @ 06:01 PM gHale

The Xtreme RAT malware has not only hit Israeli police systems, it has also targeted governments in the U.S., UK, and other countries, researchers said.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies, said researchers at antivirus developer Trend Micro.

RELATED STORIES
Energy Sector Under Attack
Report: Security Needs Proactive Approach
Report: Execs Still Lack Security Understanding
Senior Mgt Biggest Security Violators

The archive contained a malicious executable that looks like a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of a year-long cyber espionage operation performed by the same group of attackers in the region.

According to data found by Trend Micro, the campaign’s scope appears to be much larger.

“We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel,” Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. “One of the emails was sent to 294 email addresses.”

“While the vast majority of the emails were sent to the Government of Israel at ‘mfa.gov.il’ [Israeli Ministry of Foreign Affairs], ‘idf.gov.il’ [Israel Defense Forces], and ‘mod.gov.il’ [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at ‘state.gov’ [U.S. Department of State] email addresses,” Villeneuve said. “Other U.S. government targets also included ‘senate.gov’ [U.S. Senate] and ‘house.gov’ [U.S. House of Representatives] email addresses. The email was also sent to ‘usaid.gov’ [U.S. Agency for International Development] email addresses.”

The list of targets also included ‘fco.gov.uk’ (British Foreign & Commonwealth Office) and ‘mfa.gov.tr’ (Turkish Ministry of Foreign Affairs) email addresses, as well as addresses from government institutions in Slovenia, Macedonia, New Zealand, and Latvia, the researcher said. Some non-governmental organizations like the BBC and the Office of the Quartet Representative, also ended up a target.

The Trend Micro researchers used metadata from the decoy documents to track down some of their authors to an online forum. One of them used the alias “aert” to talk about various malware applications including DarkComet and Xtreme RAT or to exchange goods and services with other forum members, Villeneuve said.



Leave a Reply

You must be logged in to post a comment.