XTRAT
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
XTRAT, (which is commonly known as Xtreme Rat) is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.
This malware family of backdoors has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture from a remote attacker. In addition, it can also log keystrokes of the infected systems.
TECHNICAL DETAILS
Installation
This backdoor drops and executes the following files:
- %Application Data%\Microsoft\Windows\ZUMCD76a.cfg
- %Application Data%\Microsoft\Windows\ZUMCD76a.dat
- %Application Data%\Microsoft\Windows\fdgdfgdfg.dat
- %Application Data%\Microsoft\Windows\--((Mutex))--.dat
- %Application Data%\Microsoft\Crypto\RSA\S-1-5-21-1614895754-436374069-682003330-1003\c0528c2346cb928a9052304ef3ab8fd4_411f3a52-26ed-4872-9a07-8c966acba234
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %System%\System\System.exe
- %User Temp%\ie4uinit.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It creates the following folders:
- %System%\System
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It injects itself into the following processes as part of its memory residency routine:
- IEXPLORE.exe
- svchost.exe
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
HKCU = "%System%\System\System.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKLM = "%System%\System\System.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{GUID}
StubPath = "%System%\System\System.exe restart"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CURRENT_USER\Software\ZUMCD76aHKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Active Setup\
Installed Components\{GUID}
HKEY_CLASSES_ROOT\rr1081767346z.ypa
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rr1081767346z.ypa
It adds the following registry entries:
HKEY_CURRENT_USER\Software\ZUMCD76a
ServerStarted = "{Date and time of execution}"
HKEY_CURRENT_USER\Software\ZUMCD76a
InstalledServer = "%System%\System\System.exe"
HKEY_CURRENT_USER\Software\XtremeRAT
Mutex = "fdgdfgdfg"
HKEY_CURRENT_USER\Software\fdgdfgdfg
ServerStarted = "{Date and Time}"
HKEY_CURRENT_USER\Software\XtremeRAT
Mutex = "--((Mutex))--"
HKEY_CURRENT_USER\Software\--((Mutex))--
ServerStarted = "{Date and Time}"
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}i1992.zapto.org:82/1234567890.functions
- http://{BLOCKED}g.myftp.org:1500/1411.functions
- http://good.{BLOCKED}o.org:50002/1411.functions
- http://{BLOCKED}a.mine.nu:50002/1411.functions