This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam delivers Xtreme RAT 8-1-2017

AhmedSonbol1
Employee
Employee
‎2017-08-02 12:41 PM

Malspam activity was noted on August 1st 2017 delivering an Xtreme RAT variant. Xtreme RAT is a publicly available remote access tool that has been around for few years and has been used by threat actors in cybercrime as well as targeted attacks. In this threat advisory we will discuss its network and host behavior from the perspective of RSA NetWitness Packets and RSA NetWitness Endpoint.

 

The delivery document documentos.doc looks to be targeting Spanish-speaking users. It uses social engineering to trick a victim into running the malicious embedded macro:

 

xtremerat-word.jpg

 

Submitting the delivery document to RSA pre-release What's This File service shows a maximum threat score:

 

xtremerat-wtf-1.png

 

What's This File service shows embedded VBA code to download an executable from a delivery domain and to save it to a local file on the system:

 

xtremerat-wtf-2.png

 

Here is a screenshot of the download session from NetWitness Packets:

 

xtremerat-nw-session.png

 

xtremerat-nw-files.png

 

VirusTotal scan results suggest it is an Xtreme RAT variant. Here is the analysis report from hybrid-analysis.com.

 

NetWitness Packets tagged the download session with the following meta values:

 

xtremerat-nw-navigate.png

 

NetWitness Endpoint scan data of an infected host is below:

 

xtremerat-ecat-scandata.png

 

WINWORD.exe creates a new process wtphjgf.exe using the downloaded PE file. The new process copies itself to new locations on the infected system, modifies the registry to gain persistency then starts svchost.exe and injects code in it. The following screenshots from NetWitness Endpoint show the host behavior as well as the module IIOC's for wtphjgf.exe:

 

xtremerat-ecat-paths.png

 

xtremerat-ecat-autoruns.png

 

xtremerat-ecat-iioc-tracking.png

 

NetWitness Endpoint also shows a suspicious network connection initiated by the newly created svchost.exe to a dynamic DNS domain:

 

xtremerat-ecat-network.png

 

The network activity is captured by NetWitness Packets:

 

xtremerat-nw-session-cnc.png

NetWitness Packets tagged the outbound HTTP sessions with the following meta values indicating highly suspicious traffic:

 

xtremerat-nw-navigate-cnc.png

 

Xtreme RAT delivery document (SHA256):

  • e925f362b8f17c6252d6b4c8c7e4a47d41b01b589ab9f30649123ae626086668

Xtreme RAT variant (SHA256):

  • ef551697664f508d9705e108710e6421abb00bf5c5fe658a68dcf05c68ed3ecf

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control feed on Live with the following meta:

  • For download domain:

    threat.source = 'rsa-firstwatch'
    threat.category = 'malspam'
    threat.description = 'delivery-domain'

  • For Command and Control domain:

    threat.source = 'rsa-firstwatch'
    threat.category = 'cnc'
    threat.description = 'c2-domain'

 

Further reading:

© 2022 RSA Security LLC or its affiliates. All rights reserved.