W32.Extrat: Syrian Conflict Used To Deliver Xtreme RAT

Contributor: Jeet Morparia
 

As conflict in Syria continues, email attacks against various organizations throughout the Middle East and Europe have also been identified.
 

Figure 1. Sample email used in this campaign from “Free Dom” (Freedom)
 

The targeted organizations are extensive, from individuals at a public university, to hotels, oil companies, and government agencies.

Recipients of these emails are presented with text in Arabic. The email (Figure 1) claims to be an important message from Sheikh Adnan al-Aroor, a figure in opposition to the current Syrian government. The email includes a .zip file attachment, which contains a .lnk (shortcut) file.

In the past, we have blogged about .lnk files being used in other attacks. This particular attack relies on social engineering.
 

Figure 2. Properties of .lnk file used in this campaign
 

The .lnk file (detected as Downloader) contains a reference to MSHTA.exe, the Microsoft HTML Application Host file. The target of the .lnk file is passed an argument that points to an HTML file hosted on a malicious website.

The HTML file contains a combination of Visual Basic scripting as well as an embedded executable. The script is responsible for dropping the 1.exe file onto the compromised computer and executing it. This file is an executable compiled with an AutoIt script.

Once this file is executed, it copies itself to a temporary folder on the computer as a svhost.exe file. It also creates the following files in a specified temporary folder:

  • Microsoft.vbs
  • once.txt
  • start.cmd
  • svhost.exe

Figure 3. Document file used as smoke screen
 

The threat then creates registry entries so that it executes every time Windows starts. It also drops an araor.doc file (Figure 3) in the %Temp% folder and opens it. This file contains text that ties into the original lure: a message from Sheikh Adnan al-Aroor. This is a smoke screen to give the campaign an air of legitimacy. In actuality, the user is now infected with Xtreme RAT, which Symantec detects as W32.Extrat.

Xtreme RAT is a Remote Administration Tool (RAT) that allows a remote user to monitor keystrokes and steal information from the compromised computer. In this particular sample, we observed outbound connectivity to tn5.linkpc.net on port 82.
 

Figure 4. Another smoke screen from a similar campaign
 

Presently there are other campaigns attempting to spread W32.Extrat, including one that was virtually the same—just using a different lure. In the preceding Figure 4, you can see the smoke screen document used in that particular campaign.

This is not the first time that we have seen malware used during a time of conflict in the Middle East and it will not likely be the last.