Xtreme RAT cyberespionage campaign targeted U.S., U.K., other governments

The recent malware attack against the Israeli police also targeted government institutions in other countries, researchers say

The hacker group that recently infected Israeli police computers with the Xtreme RAT malware has also targeted government institutions from the U.S., U.K. and other countries, according to researchers from antivirus vendor Trend Micro.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies. The archive contained a malicious executable masquerading as a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of an year-long cyberespionage operation performed by the same group of attackers in the region.

However, according to new data uncovered by researchers from Trend Micro, the campaign's scope appears to be much larger.

"We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel," Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. "One of the emails was sent to 294 email addresses."

"While the vast majority of the emails were sent to the Government of Israel at 'mfa.gov.il' [Israeli Ministry of Foreign Affairs], 'idf.gov.il' [Israel Defense Forces], and 'mod.gov.il' [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at 'state.gov' [U.S. Department of State] email addresses," Villeneuve said. "Other U.S. government targets also included 'senate.gov' [U.S. Senate] and 'house.gov' [U.S. House of Representatives] email addresses. The email was also sent to 'usaid.gov' [U.S. Agency for International Development] email addresses."

The list of targets also included 'fco.gov.uk' (British Foreign & Commonwealth Office) and 'mfa.gov.tr' (Turkish Ministry of Foreign Affairs) email addresses, as well as addresses from government institutions in Slovenia, Macedonia, New Zealand, and Latvia, the researcher said. Some non-governmental organizations like the BBC and the Office of the Quartet Representative, were also targeted.

The Trend Micro researchers used metadata from the decoy documents to track down some of their authors to an online forum. One of them used the alias "aert" to talk about various malware applications including DarkComet and Xtreme RAT or to exchange goods and services with other forum members, Villeneuve said.

However, the motivations of the attackers remain unclear. If, after the Norman report, one might have speculated that the attackers have a political agenda tied to Israel and the Palestinian territories, after Trend Micro's latest findings. it's harder to guess what drives them.

"Their motivations are quite unclear at this point after discovering this latest development of targeting other state organizations," said Ivan Macalintal, senior threat researcher and security evangelist at Trend Micro, Friday via email.

Trend Micro has not taken control of any command and control (C&C) servers used by the attackers in order to determine what data is being stolen from the infected computers, the researcher said, adding that there are no plans to do so at this time.

Security companies sometimes work with domain providers to point C&C domain names used by attackers to IP addresses under their control. This process is known as "sinkholing" and is used to determine how many computers were infected with a particular threat and what kind of information those computers are sending back to the control servers.

"We've contacted and are working with the CERTs [computer emergency response teams] for the particular states affected and we'll see if there was indeed any damage done," Macalintal said. "We are still actively monitoring the campaign as of now and will post updates accordingly."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags trend microsecuritynormanspywaremalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?