Ahmed Sonbol

Malspam delivers Xtreme RAT 8-1-2017

Blog Post created by Ahmed Sonbol Employee on Aug 2, 2017

Malspam activity was noted on August 1st 2017 delivering an Xtreme RAT variant. Xtreme RAT is a publicly available remote access tool that has been around for few years and has been used by threat actors in cybercrime as well as targeted attacks. In this threat advisory we will discuss its network and host behavior from the perspective of RSA NetWitness Packets and RSA NetWitness Endpoint.


The delivery document documentos.doc looks to be targeting Spanish-speaking users. It uses social engineering to trick a victim into running the malicious embedded macro:



Submitting the delivery document to RSA pre-release What's This File service shows a maximum threat score:



What's This File service shows embedded VBA code to download an executable from a delivery domain and to save it to a local file on the system:



Here is a screenshot of the download session from NetWitness Packets:




VirusTotal scan results suggest it is an Xtreme RAT variant. Here is the analysis report from hybrid-analysis.com.


NetWitness Packets tagged the download session with the following meta values:



NetWitness Endpoint scan data of an infected host is below:



WINWORD.exe creates a new process wtphjgf.exe using the downloaded PE file. The new process copies itself to new locations on the infected system, modifies the registry to gain persistency then starts svchost.exe and injects code in it. The following screenshots from NetWitness Endpoint show the host behavior as well as the module IIOC's for wtphjgf.exe:





NetWitness Endpoint also shows a suspicious network connection initiated by the newly created svchost.exe to a dynamic DNS domain:



The network activity is captured by NetWitness Packets:


NetWitness Packets tagged the outbound HTTP sessions with the following meta values indicating highly suspicious traffic:



Xtreme RAT delivery document (SHA256):

  • e925f362b8f17c6252d6b4c8c7e4a47d41b01b589ab9f30649123ae626086668

Xtreme RAT variant (SHA256):

  • ef551697664f508d9705e108710e6421abb00bf5c5fe658a68dcf05c68ed3ecf


All the IOC from those HTTP sessions were added to FirstWatch Command and Control feed on Live with the following meta:

  • For download domain:

    threat.source = 'rsa-firstwatch'
    threat.category = 'malspam'
    threat.description = 'delivery-domain'

  • For Command and Control domain:

    threat.source = 'rsa-firstwatch'
    threat.category = 'cnc'
    threat.description = 'c2-domain'


Further reading: