XTRAT


 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


XTRAT, (which is commonly known as Xtreme Rat) is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.

This malware family of backdoors has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture from a remote attacker. In addition, it can also log keystrokes of the infected systems.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Steals information

Installation

This backdoor drops and executes the following files:

  • %Application Data%\Microsoft\Windows\ZUMCD76a.cfg
  • %Application Data%\Microsoft\Windows\ZUMCD76a.dat
  • %Application Data%\Microsoft\Windows\fdgdfgdfg.dat
  • %Application Data%\Microsoft\Windows\--((Mutex))--.dat
  • %Application Data%\Microsoft\Crypto\RSA\S-1-5-21-1614895754-436374069-682003330-1003\c0528c2346cb928a9052304ef3ab8fd4_411f3a52-26ed-4872-9a07-8c966acba234

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %System%\System\System.exe
  • %User Temp%\ie4uinit.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

  • %System%\System

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It injects itself into the following processes as part of its memory residency routine:

  • IEXPLORE.exe
  • svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
HKCU = "%System%\System\System.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKLM = "%System%\System\System.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{GUID}
StubPath = "%System%\System\System.exe restart"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\ZUMCD76aHKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Active Setup\
Installed Components\{GUID}

HKEY_CLASSES_ROOT\rr1081767346z.ypa

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rr1081767346z.ypa

It adds the following registry entries:

HKEY_CURRENT_USER\Software\ZUMCD76a
ServerStarted = "{Date and time of execution}"

HKEY_CURRENT_USER\Software\ZUMCD76a
InstalledServer = "%System%\System\System.exe"

HKEY_CURRENT_USER\Software\XtremeRAT
Mutex = "fdgdfgdfg"

HKEY_CURRENT_USER\Software\fdgdfgdfg
ServerStarted = "{Date and Time}"

HKEY_CURRENT_USER\Software\XtremeRAT
Mutex = "--((Mutex))--"

HKEY_CURRENT_USER\Software\--((Mutex))--
ServerStarted = "{Date and Time}"

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}i1992.zapto.org:82/1234567890.functions
  • http://{BLOCKED}g.myftp.org:1500/1411.functions
  • http://good.{BLOCKED}o.org:50002/1411.functions
  • http://{BLOCKED}a.mine.nu:50002/1411.functions