Xtreme RAT cyberespionage campaign targeted U.S., U.K., other governments

The recent malware attack against the Israeli police also targeted government institutions in other countries, researchers say

By Lucian Constantin, IDG News Service |  Security

The hacker group that recently infected Israeli police computers with the Xtreme RAT malware has also targeted government institutions from the U.S., U.K. and other countries, according to researchers from antivirus vendor Trend Micro.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies. The archive contained a malicious executable masquerading as a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of an year-long cyberespionage operation performed by the same group of attackers in the region.

However, according to new data uncovered by researchers from Trend Micro, the campaign's scope appears to be much larger.

"We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel," Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. "One of the emails was sent to 294 email addresses."

"While the vast majority of the emails were sent to the Government of Israel at 'mfa.gov.il' [Israeli Ministry of Foreign Affairs], 'idf.gov.il' [Israel Defense Forces], and 'mod.gov.il' [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at 'state.gov' [U.S. Department of State] email addresses," Villeneuve said. "Other U.S. government targets also included 'senate.gov' [U.S. Senate] and 'house.gov' [U.S. House of Representatives] email addresses. The email was also sent to 'usaid.gov' [U.S. Agency for International Development] email addresses."

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question