Detecting XtremeRAT variants using Security Analytics

Blog Post created by ahsonbol on Aug 26, 2015

XtremeRAT is a publicly available remote access tool that has been around for few years now. It has been used by different malicious actors for targeted attacks as well as cybercrime operations. In this blog post, we will discuss how to detect the traffic between an infected host and the C2 server controlled by the attacker.

Once a host is infected, it sends an HTTP POST request to the C2 server as shown in the screenshot below:


There are some interesting artifacts in the session above. XtremeRAT embeds information about the infected host in its UA string. The information contains the hostname, the username, date of infection as well as the version of Windows.

Developing an app rule based on those UA string values is a bit tricky. Unless all the hostnames in your environment follow a certain pattern, you might miss some of the infected machines. Luckily, enough information is available to detect the beaconing activity. This screenshot from RSA Security Analytics shows the network traffic between a group of XtremeRAT infected machines and their C2 servers:


Other filenames that XtremeRAT variants are known to use:

  • is-enum-driver
  • is-enum-faf
  • is-enum-process

Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

          action = 'put' && filename begins 'is-' && extension = '<none>'

Scan results for an XtremeRAT sample can be found here.