XtremeRAT was found to be invading Israeli government targets in the form of emails purporting to come from IDF Chief of Staff Benny Gantz. The emails, of course, contained a malicious attachment, which infected machines with a surveillance bot that stole files and sent them back to the Command & Control (C&C) structure. Most recently, it forced a shut-down of the Israeli police network.
Researchers at Norman tracked down the trojan and were able to identify the C&C, which is centered around a few dynamic DNS domains that point to hosting services in the US. Following the fake digital certificates that XtremeRAT used, Norman found several other trojans similarly signed, then many more connecting to the same C&C as the first batch. This was the first clue that the threat is much more widespread than originally thought – but still consigned to Israeli targets.
“Many of these contained bait documents and video to attract attention (and clicks),” explained Norman researcher Snorre Fagerland, in a blog. “These baits are in English or Hebrew and touch on issues interesting for an Israeli audience.”
But then the analysis revealed the ground had shifted over time. The next batch of files that Norman found were older and were aimed at different targets, but still connected to the same C&C servers. These bait documents are in Arabic and apparently aimed at a Palestinian audience.
“They revolve around issues such as the Palestinian government policies and the Israeli hostage Gilad Shalit and his exchange for Palestinian prisoners,” Fagerland wrote. “The video is interesting. It appears to be lambasting the Palestinian president Mahmoud Abbas for not working for the interests of the Palestinian people.”
These samples belong to an older series going back to October 2011, the firm found. And, while they use more or less the same C&C infrastructure as the current Israeli-focused XtremeRAT, at the time the C&C host names resolved to IP addresses in Gaza. The compromised hosts are both Paltel divisions: Occupied Gaza Palestine Telecommunications Company and Occupied Gaza Hadara Technologies Private Shareholding Co.
“Obviously, an espionage operation using mostly XtremeRats has been underway for at least a year,” wrote Fagerland. “It is interesting that the operation apparently shifted over time from Palestinian targets to Israeli targets.”
When it comes to the all-important question of whether the attacks are state-sponsored, the work of hacktivists or just a group of people with too much time on their hands, unfortunately, uncovering the culprits behind the plot won’t be so easy. Most of the bait attachments are Word documents, Norman found, and Word documents can contain metadata (typically the usernames of the creator and the one who last saved the document).
Analyzing this, Norman found that there seems to be a number of people involved in creating the bait files. The dates also roughly coincide with the apparent shift in IP ranges, from first being located in Gaza, to being located internationally.
“We have the impression that a cybersurveillance operation is underway (and is probably still ongoing – most recent sample created Oct. 31) which was first mainly focused on Palestinian targets, then shifted towards Israel," Fagerland said in the report. He reiterated, "The reason for the shift is unknown. Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change."