Cybercriminals Send Xtreme RAT to US, UK and Other Government Employees

Turkey, Macedonia, New Zealand, Latvia and Slovenia are also targeted

By on November 16th, 2012 21:51 GMT

A few days ago, experts from security firm Norman ASA revealed the existence of a cybercriminal campaign that targeted government agencies from Israel and Palestine. As it turns out, similar attacks have been launched against other governments as well.

According to researchers from Trend Micro, the same Xtreme RAT has been spotted in emails sent to the employees of government agencies from the United States, United Kingdom, Turkey, Macedonia, Slovenia, New Zealand, and Latvia.

Apparently, even the BBC and the Office of the Quartet Representative have been targeted.

Although the government of Israel appears to be the main target, malicious emails containing the RAT have also been sent to fco.gov.uk, mfa.gov.tr, gov.si, bbc.co.uk, senate.gov, usaid.gov and state.gov addresses.

The emails are designed to trick users into opening an executable file that looks like an innocent document. To avoid raising any suspicion, a real document is opened when the file is executed.

Experts have managed to track down some of the alleged creators of these documents on hacking forums where they’re trying to exchange services with others.

Interestingly, the cybercriminals are attempting to sign the malware with an invalid certificate to make it look like it’s a legitimate application.

One noteworthy fact is that it’s uncertain if the recipients of these emails have actually opened the attachments and infected their computers. However, it is certain that staff members of the aforementioned organizations have received the fake messages.

“These new attacks are significant because they show an expanded target set on the part of the attackers as well as their involvement in hacker forums. In addition, it demonstrates that off-the-shelf malware can be an effective when conducting targeted attacks,” Nart Villeneuve of Trend Micro explains.

Villeneuve notes that the campaign will likely continue, but it’s still uncertain what drives these malicious actors, considering that their targets are spread all over the world.

Comments

Decoy document used to spread Xtreme RAT
   Decoy document used to spread Xtreme RAT