In the competitive business world, products have to keep performing and improving or the next best thing will come in and take over. The same is true for hackers.
It now appears hackers that want to stay ahead of the game are dropping standard malware such as Zeus, in favor of more advanced but harder-to-use remote access Trojans (RATs) such as Xtreme RAT, according to research by security firm FireEye.
“During our investigation we found that the majority of Xtreme RAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware,” said senior researcher at FireEye Nart Villeneuve in a blog post. “This seems odd, considering RATs require manual labor as opposed to automated banking Trojans.”
Villeneuve said based on observations, here are some possible explanations:
1. Smokescreen: The operations may be part of a targeted attack that seeks to disguise itself and its possible targets, by using spam services to launch the attacks.
2. Less traditional tools available: With more crimeware author arrests and/or disappearance of a number of banking Trojan developers, cybercriminals are resorting to using RATs to manually steal data, such as banking and credit card details.
3. Complicated defenses require more versatile tools: As many traditional banking and financial institutions have improved their security practices, perhaps attackers have had a much more difficult time developing automation in their Trojans to cover all variations of these defenses; as such, RATs provide more versatility and effectiveness, at the expense of scalability.
4. Casting a wider net: After compromising indiscriminate targets, attackers may dig deeper into specific targets of interest and/or sell off the access rights of the victims’ systems and their data to others.
Xtreme RAT has been available on a number of cyber black markets since June 2010. The RAT sees use for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services.
There have also been recorded variants able to force infected machines to capture images of the desktop, and record from connected devices, such as webcams and microphones. Hackers can also customize Xtreme RAT to add new abilities, as its source code has leaked online.
Villeneuve said the attacks have in general been fairly basic spam-related attacks and is yet to see criminals use its increased powers for more advanced purposes.
“Xtreme RAT is now being used in some high-volume attacks. It is being distributed as a payload of traditional large-volume spam runs,” he said. “So far, Xtreme RAT has not been used as the payload of advanced exploits. Rather users are lured into installing the RAT through a variety of social engineering schemes.”
“Using telemetry from FireEye’s Dynamic Threat Intelligence (DTI) cloud, we examined 165 Xtreme RAT samples from attacks that primarily hit the energy, utilities, petroleum refining, financial services and high-tech sectors,” Villeneuve said.