• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Xtreme RAT Targets Israeli Government

Xtreme RAT Targets Israeli Government

  • Posted on:October 29, 2012 at 8:33 pm
  • Posted in:Malware, Spam
  • Author:
    Ivan Macalintal (Threat Research Manager)
0

Trend Micro has obtained samples of malware implicated in a recent incident that forced the Israeli police department offline. According to media reports, the severity of the attack was enough for all police computers to be taken temporarily offline last Thursday.

The attack began with a spammed message purporting to come from the head of the Israel Defense Forces, Benny Gatz. The From field has the email address, bennygantz59(at)gmail.com and bore the subject IDF strikes militants in Gaza Strip following rocket barrage to make it more legitimate.

When unsuspecting recipients open the email, they will find a .RAR file attachment, which leads to the backdoor detected by Trend Micro as BKDR_XTRAT.B. Examining the e-mail headers, the target appears to have been within the Israeli Customs agency:

Based on our analysis, this backdoor is an Xtreme remote access Trojan (RAT) that, like all RATs, can be used to steal information and receive commands from a remote attacker. The Xtreme RAT appears to have been used in previous attacks targeting Syrian anti-government activists. In addition to the standard features that are common to every RAT, the newest Xtreme RAT version also has the following features:

  • Windows 8 compatibility
  • improved audio and desktop capture capabilities
  • improved Chrome and Firefox password grabbing; it can also grab passwords from Opera and Safari
  • free updates from the developer

In the past, Trend Micro has reported various incidents where cybercriminals employed the web to launch attacks and/or used political issues as social engineering tactics:

  • Malicious Email Campaign Uses Current Socio-Political Lure for Targeted Attack
  • Mediterranean Hacktivism on the Rise
  • Political Issues Bleed Through the Web
  • Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate

We’ve also reported on other RATs like Poison Ivy and PlugX earlier:

  • The “Nitro” Campaign and Java Zero-Day
  • PlugX: New Tool For a Not So New Campaign
  • Unplugging PlugX Capabilities
  • Watering Holes and Zero-Day Attacks

Trend Micro Smart Protection Network protects users from this threat by detecting the spammed message and the malicious file.

Related posts:

  • A Closer Look at North Korea’s Internet
  • Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks
  • CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer
  • XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: IsraeliRATRemote Access ToolXtreme

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2018

  • Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.
    Read our security predictions for 2018.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users
  • North American Malware Trends: Taking a Proactive Approach to Modern Threats
  • Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor
  • June Patch Tuesday: Microsoft Addresses DNS-related Vulnerability, Adobe Patches Critical Flash Player Flaw
  • How Machine Learning Techniques Helped Us Find Massive Certificate Abuse by BrowseFox

Popular Posts

  • Malicious Edge and Chrome Extension Used to Deliver Backdoor
  • Confucius Update: New Tools and Techniques, Further Connections with Patchwork
  • GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities
  • Legitimate Application AnyDesk Bundled with New Ransomware Variant
  • Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.