Tool Talk: Cracking the Code on XtremeRAT

By on

Late last week, reports began to surface that the Israeli police (along with other regional law enforcement) were targeted by a malware attack.  The entry vector was described as a phishing campaign sent from Benny Gantz (head of the Israeli Defense Forces).  Initially, details and indicators around the malware were beyond sparse. Aside from the FROM: address, little was known that could assist in any sort of investigation. After nearly 24 hours from the first reports, both details and samples of the malware started to flow. As soon as we could confirm details of the phish email and the malicious attachments, we were able to cross-reference sample data already in our malware database and connect the dots.

Generic Dropper.p (Xtrat)
Generic Dropper.p (XtremeRAT)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

Sample Data

 

 

 

 

The result sets are organized as a specific directory structure.

Analysis Report sample
Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data
Sample Data

Sample Data 2
Sample Data 2

Sample Data 3
Sample Data 3

Sample Data 4
Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

MemDumps
Memory dumps
PCAPs
PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped Files
Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Comment

Similar articles

Pay-per-install, or PPI for short, is a type of software program that presents users with third-party offers while they are in the middle of another download. If a user clicks on the third-party advertisement, the software developer earns money from the download. One specific PPI program has caught the attention of our McAfee ATR team, ...
Read Blog
For the past 18 months, McAfee Labs has been investigating a pay-per-install developer, WakeNet AB, responsible for spreading prevalent adware such as Adware-Wajam and Linkury. This developer has been active for almost 20 years and recently has used increasingly deceptive techniques to convince users to execute its installers. Our report is now available online. During ...
Read Blog