We recently documented an attack that leveraged the publicly available Xtreme RAT on targets in Israel and was widely reported in the media. Our friends at Norman were able to link the attack to a yearlong campaign against both Israeli and Palestinian targets. We have found that the attacks are still on-going. We have found that the attacks are still on-going and that the target set is broader than previously thought.
We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel. One of the emails was sent to 294 email addresses. While the vast majority of the emails were sent to the Government of Israel at “mfa.gov.il”, “idf.gov.il,” and “mod.gov.il,” a significant amount were also sent to the U.S. Government at “state.gov” email addresses. Other U.S. government targets also included “senate.gov” and “house.gov” email addresses. The email was also sent to “usaid.gov” email addresses.
The target list also included the governments of the UK (fco.gov.uk), Turkey (mfa.gov.tr), Slovenia (gov.si), Macedonia, New Zealand, and Latvia. In addition, the BBC (bbc.co.uk) and the Office of the Quartet Representative (quartetrep.org) were also targeted.
It is important to note that while we discovered that these targets were sent this email, we have no information about how many received or potentially opened the malicious attachment.
The emails have an attached .RAR file that contained an executable attempting to disguise itself as a document.
Based on our investigation, the malware was signed with an invalid certificate. When executed, it opens a decoy document and installs Xtreme RAT on the targets’ systems. The malware also connects to the following URLs:
- {BLOCKED}t.cable-modem.org
- {BLOCKED}f.blogsite.org
The decoy document contains an article from DEBKA, a news website. However, the metadata for the document contains an interesting clue.
As documented by Norman, the documents contain metadata that indicated the creator of the document. Brian Krebs was able to track some of these aliases to postings in online forums.
We focused on “HinT” because three previously documented command and control servers that are part of this campaign, hint.{BLOCKED}o.org, hint1.{BLOCKED}o.org, and hint{BLOCKED}.com contain “hint”.
We found that the domain hint{BLOCKED}.org was used in a forum posting by the user “aert”, another previously documented alias. This user also posted about a variety of malware including DarkComet and Xtreme RAT.
Furthermore, “aert” posted about exchanging goods and services but ultimately earned a negative rating within this forum due to lack of trust.
These new attacks are significant because they show an expanded target set on the part of the attackers as well as their involvement in hacker forums. In addition, it demonstrates that off-the-shelf malware can be an effective when conducting targeted attacks.
This campaign it seems is far from over and whatever specific motivations the attackers may have, considering the various targets seen scattered in various states, is still a mystery. We are still monitoring and analyzing the situation as of this writing.
We’re currently in the process of notifying the relevant CERTs and/or potential targets.
Trend Micro protects users from this threat via its Smart Protection NetworkT that detects the malicious email message and files as BKDR_XTRAT.LTY, BKDR_XTRAT.B, and BKDR_XTRAT.JT.
Leave a reply
