Endpoint Protection

Colombians major target of email campaigns delivering Xtreme RAT 

12-03-2015 08:59 AM

Header-image13.jpg

Throughout 2015, Symantec.cloud has been detecting a stream of emails that have the Xtreme remote access Trojan (RAT), which we detect as W32.Extrat, as an attachment. These emails are mainly sent to Colombians who may work in the accounting or finance departments of various-sized organizations. The people behind the attacks are likely attempting to gain access to computers where banking transactions are performed, in order to steal banking credentials.

By examining the global detections from Symantec endpoint products for the past two months, we can confirm that W32.Extrat infections are more prevalent in Colombia than in any other region.

figure1_piechart.png
Figure 1. Top five regions reporting W32.Extrat infections

We combined email data from Symantec.cloud with telemetry from Symantec endpoint products to cluster together attack activity. Through our analysis, we identified what appear to be distinct sets of attackers. Over 2015, at least four main groups have been sending emails with W32.Extrat attachments in order to compromise Colombia-based targets. We also found that there are other smaller groups actively distributing this threat in emails. Similar uses of W32.Extrat have been documented in the past.

Symantec calls the four attack teams Caramel, Cuent, Maga, and Molotos. During our research, we grouped clusters of activity according to the attackers’ command-and-control (C&C) domains. It is possible that some of these clusters are actually related to each other.

figure2_attackactivity_0.png
Figure 2. Number of computers infected with W32.Extrat per attack group for one month

The attack groups generally use similar email subjects in their W32.Extrat campaigns.

Subject Group
NOTIFICACION FOTO COMPARENDO Caramel
FORMATO CORRECTO TERCERA CITACION AUDIENCIA PUBLICA Caramel
CITACION AUDIENCIA PUBLICA DENUNCIA CIVIL Caramel
Detalles Informacion Cuent
Informacion Detallada Cuent
Demanda Asignada Cuent
Estado de cuenta Cuent
Juzgado Citacion Cuent
Cobro Juridico Cuent
Citacion Juzgado Cuent
Quiero que todos vean este archivo Cuent
Quiero que vean este archivo Cuent
Carta De Cobro Cuent
Recibos En Mora Cuent
Proceso En Mora Cuent
Estado De Cuenta Maga
Soporte de Consignacion Maga
COBRO JURIDICO Maga
Cuenta de Cobro Maga
Vinculados Por Corrupcion Maga
NIT SUSPENDIDO Molotos
Soporte de Consignacion Molotos
Suspencion de la Inscripcion en el Registro Unico Tributario Molotos
Invitacion a pagar de manera urgente sus Obligaciones Molotos

Table 1. W32.Extrat email subjects per attack group

The email subjects usually have a legal connotation or are related to payments and tax. The contents of the messages continue with these themes and appear as legitimate emails. One example email was sent from what appeared to be a compromised email account and its subject matter was relevant to the recipient organization’s industry.

email.jpg
Figure 3. An example of a malicious email with a W32.Extrat attachment, which was sent from a compromised account

It is likely that the various attackers are based in Colombia, as they consistently use Colombian IP addresses for command and control. All of the attackers use dynamic DNS domains for their C&C infrastructure. These dynamic DNS domains resolve to IP addresses that are assigned to internet service providers (ISPs), not hosting facilities.

The lifespan of the IP addresses reflect these findings. The majority of the attackers’ domains change to a new IP address in 24-hour periods, with some lasting from three to four days.

Some example hashes and domains for each group are listed in the following table.

MD5 C&C domain Group
084299bef9f83f42b9281c9c6155a4f3 auxilio.duckdns.org Maga
8fef5053d9d96637ccc26c452aaf73dc magalyamaya.mooo.com Maga
516186e260d8cba116a470efcf84cf34 caramelochpetinnew2.ddns.net Caramel
00adadf595c062ebaaa05a1c23a1c13a cuentadns.mooo.com Cuent
0f0d4493705264ddcc337f22abe50266 yiyik13.no-ip.biz Cuent
629725ca22c9b2bcfb086d4593214e01 molotos4.no-ip.biz Molotos

Table 2. MD5 hashes of samples and domains per group

Mitigation
Attacks targeting the financial departments of businesses are a regular occurrence. The approaches that the attackers take include emails with malicious attachments, phishing attacks claiming to be from senior management, and social engineering involving phone calls. Employees should take the following precautions to prevent these campaigns from succeeding:

  • Do not open attachments or click on links in suspicious email messages
  • Avoid providing any personal information when answering an email
  • Never enter personal information in a pop-up web page
  • Keep security software up to date
  • If you’re uncertain about an email’s legitimacy, contact your internal IT department or submit the email to Symantec Security Response through this portal.

Protection
A full protection stack helps to defend against these attacks, including Symantec.cloud email blocking, web gateway security, and endpoint security.
Symantec and Norton products detect the payload of these attacks through the following detections:

AV

IPS

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.