search
    search
      2 Aug, 2017

      Malspam activity was noted on August 1st 2017 delivering an Xtreme RAT variant. Xtreme RAT is a publicly available remote access tool that has been around for few years and has been used by threat actors in cybercrime as well as targeted attacks. In this threat advisory we will discuss its network and host behavior from the perspective of RSA NetWitness Packets and RSA NetWitness Endpoint.

      The delivery document documentos.doc looks to be targeting Spanish-speaking users. It uses social engineering to trick a victim into running the malicious embedded macro:

      xtremerat-word.jpg

      Submitting the delivery document to RSA pre-release What's This File service shows a maximum threat score:

      xtremerat-wtf-1.png

      What's This File service shows embedded VBA code to download an executable from a delivery domain and to save it to a local file on the system:

      xtremerat-wtf-2.png

      Here is a screenshot of the download session from NetWitness Packets:

      xtremerat-nw-session.png

      xtremerat-nw-files.png

      VirusTotal scan results suggest it is an Xtreme RAT variant. Here is the analysis report from hybrid-analysis.com.

      NetWitness Packets tagged the download session with the following meta values:

      xtremerat-nw-navigate.png

      NetWitness Endpoint scan data of an infected host is below:

      xtremerat-ecat-scandata.png

      WINWORD.exe creates a new process wtphjgf.exe using the downloaded PE file. The new process copies itself to new locations on the infected system, modifies the registry to gain persistency then starts svchost.exe and injects code in it. The following screenshots from NetWitness Endpoint show the host behavior as well as the module IIOC's for wtphjgf.exe:

      xtremerat-ecat-paths.png

      xtremerat-ecat-autoruns.png

      xtremerat-ecat-iioc-tracking.png

      NetWitness Endpoint also shows a suspicious network connection initiated by the newly created svchost.exe to a dynamic DNS domain:

      xtremerat-ecat-network.png

      The network activity is captured by NetWitness Packets:

      xtremerat-nw-session-cnc.png

      NetWitness Packets tagged the outbound HTTP sessions with the following meta values indicating highly suspicious traffic:

      xtremerat-nw-navigate-cnc.png

      Xtreme RAT delivery document (SHA256):

      • e925f362b8f17c6252d6b4c8c7e4a47d41b01b589ab9f30649123ae626086668

      Xtreme RAT variant (SHA256):

      • ef551697664f508d9705e108710e6421abb00bf5c5fe658a68dcf05c68ed3ecf

      All the IOC from those HTTP sessions were added to FirstWatch Command and Control feed on Live with the following meta:

      • For download domain:

        threat.source = 'rsa-firstwatch'
        threat.category = 'malspam'
        threat.description = 'delivery-domain'

      • For Command and Control domain:

        threat.source = 'rsa-firstwatch'
        threat.category = 'cnc'
        threat.description = 'c2-domain'

      Further reading:
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025