{"id":6989,"date":"2021-09-22T14:00:05","date_gmt":"2021-09-22T21:00:05","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6989"},"modified":"2024-08-07T12:19:08","modified_gmt":"2024-08-07T19:19:08","slug":"xpertrat-returns","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/xpertrat-returns\/","title":{"rendered":"XpertRAT Returns"},"content":{"rendered":"

Author: Shashank Jain<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

From 9 to 16 September, Infoblox observed a malicious spam (malspam) campaign whose actors were impersonating an employee of the Dubai-based engineering and construction company Arar Infra Contracting LLC. The body of the malspam email attempted to lure its targets into opening an attached file with XpertRAT: a remote access trojan that has been around since 2011.<\/p>\n

XpertRAT consists of a core component and multiple modules, all written in Delphi. Its remote access capability makes it popular among many cybercriminals. It is usually propagated via spam emails, but pirated media and fraudulent updates have also been used to propagate it.1<\/sup><\/p>\n

2. Customer impact<\/h3>\n

Upon infecting a machine and establishing remote access, XpertRAT can steal credentials and system information, including operating system versions and running processes, and communicate with command and control (C&C) servers to exfiltrate data, download additional malware components, and execute arbitrary commands.<\/p>\n

3. Campaign analysis<\/h3>\n

The campaign continuously sent spam for almost an hour, and all emails contained the same urgently themed message and subject lines that looked like inquiries about construction equipment, projects, and product names. The sender domain was spoofed; the emails appeared to be coming from an employee of Arar Infra Contracting LLC. The attachment\u2019s name consisted of PO or Specification followed by a date or a random string.<\/p>\n

4. Attack chain<\/h3>\n

The email attachment consists of an unsigned RTF (Rich Text Format) file with malicious VBA code. When the file is opened, the VBA code executes a PowerShell script to download the first payload from a malicious domain with a name that mimics ESET NOD32, a legitimate security product.<\/p>\n

The first payload is a downloader, and it downloads a portable executable file, EXCEL.exe. The executable checks for an internet connection by pinging google.com, starts Internet Explorer, connects to a C&C server, and downloads a second payload, EXCEL.exe, which is the XpertRAT executable. XpertRAT then uses NirSoft utilities to collect credentials and read personal data from the browser.<\/p>\n

5. Vulnerabilities and mitigation<\/h3>\n

XpertRAT is equipped with functions that make it a prolific stealer of credentials and other information. Infoblox recommends the following methods for detecting, preventing, and mitigating XpertRAT attacks:<\/p>\n