XtremeRAT is a type of RAT(Remote Access Trojan) that is more common than the common cold. It is prevalent to the degree that it is not uncommon to find at least one active RAT in a network on any given incident response engagement in Asia. The tool is readily available to anyone who desires to build on it, which makes it usable even by the ones who do not fully comprehend the consequences of their actions. However, the tool is more common among the advanced threat actors, who are backed by a governing body.
XtremeRAT was developed by “xtremecoder”, back in 2010. It was written in Delphi, and its source code has been leaked online. XtremeRAT allows an attacker to:
- Interact with the victim via a remote shell
- Upload/download files
- Interact with the registry
- Manipulate running processes and services
- Capture images of the desktop
- Record from connected devices, such as a webcam or microphone
- Options to include keylogging and USB infection functions
It is based on a client-server model where, however, the roles have been reversed. The “server” is the malware that resides on victim endpoints that connect to the “client”, who is the attacker.
Recently, we found many such XtremeRATs floating around in the Pakistani Cyber Space, especially in the Balochistan and Sindh provinces. The IPs 18.104.22.168, 22.214.171.124, 182. 183.241.66, 126.96.36.199, and many more are infected with XtremeRAT which is detectable on their port number 21. These IPs belong to the parent IP cluster of 188.8.131.52/17, i.e., Mini-DSLAM Central, PTCL, Pakistan, with its ASN number AS45595. PTCL is the national telecommunication company that also has the largest network in Pakistan.
The aforementioned IPs are all based near Quetta city of Balochistan Province. The first IP 184.108.40.206 is located in the very sensitive Dasht Tehsil of Kech, Balochistan. The rest all are located near the Khalid Military Base in Quetta city. It should be noted that Sajid Hussain, the editor-in-chief of the Balochistan times was found dead on the 1st of this month. He was a prominent journalist living as a refugee in Sweden, writing extensively about the forbidden stories of Balochistan. His death caused an uproar in the Baloch nationalist community.
Now, the question remains if it is state-sponsored espionage on the Balochi-s? An investigation of the case is in progress.
- Israel Develops A Side-Channel Attack To Hack Light-bulbs - June 18, 2020
- Sushant Singh Rajput, 34, Left Us With A Void That Can Never Be Patched! - June 15, 2020
- India Based Hackers For Hire Scheme Exposed - June 11, 2020