By Domesticus in Malware

Threat Scorecard

Ranking: 2,856
Threat Level: 10 % (Normal)
Infected Computers: 1,189
First Seen: January 31, 2014
Last Seen: September 20, 2023
OS(es) Affected: Windows

XtremeRAT is a remote access Trojan that has been around for a year and a half and is used to attack targets in the Middle East, particularly in government bodies in Syria and Israel. XtremeRAT is mainly used to steal data. Versions of XtremeRAT were found in numerous computers belonging to civil administration offices in Israel that deal with traffic into and out of the West Bank. It seems that spear phishing email messages were used to target specific targets in this organization in order to cause the XtremeRAT infections. These compromised email messages used spoofed email addresses which made it look to be coming from Israel's main security administration. In fact, a close look at the email messages used to distribute XtremeRAT reveals that the Hebrew in these messages is not natural and that the message was probably pieced together from various other texts in this language. The messages show poor grammar, and it is clear that the person responsible for them is not a native Hebrew speaker.

Eliminating this RAT from Your Environment

XtremeRAT is distributed in a corrupted PDF file that takes advantage of known vulnerabilities in the Windows operating system. In previous versions of this attack, XtremeRAT was distributed using a compromised DOC file or a Microsoft Word document that took advantage of a security vulnerability in this program. Once XtremeRAT is installed, XtremeRAT establishes a connection to a Command and Control server housed in the USA. Sending information through HTTP port 1863, XtremeRAT then sends the data stolen from the infected computer to the criminals controlling XtremeRAT. Using XtremeRAT, criminals have the ability to control the infected computer remotely, using it then to spread XtremeRAT to additional computer systems and steal even more data.

XtremeRAT is a widely used threat in these types of infections and, in various cases, PC security researchers suspect that many of these attackers may have institutional backing from certain countries. XtremeRAT attacks tend to be centered in the Middle East and have been used before by the SEA, or Syrian Electronic Army, an institution that has assumed culpability for several attacks on high profile targets in the United States as well. XtremeRAT is just one of several RATs being used in these types of attacks.


XtremeRAT may call the following URLs:



Most Viewed