A closer look at XtremeRATs Keylogger component

January 24, 2014

The Dell Sonicwall Threats Research team has looked at the keylogger component of the XtremeRAT Trojan. The Trojan was previously in the news for being used in attacks against government networks in late 2012. The sample we analysed uses a component called Xtremekeylogger and has the ability to monitor keystrokes and steal clipboard data. It also steals gaming related data if installed on the system.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %WINDIR%InstallDirServer.exe [Detected as GAV: Remtasu.G (Trojan)]
  • %APPDATA%oAWLX69iDGJRzoPkEX.dat [keylog file]

The Trojan adds the following keys to the Windows registry:

  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareXtremeRAT Mutex hex(2):6f,41,57,4c,58,36,39,69,44,47,4a,52,7a,6f,50,6b,45,58,00, ("oAWLX69iDGJRzoPkEX")
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.dat
  • HKEY_CURRENT_USERSoftwareoAWLX69iDGJRzoPkEX ServerStarted hex(2):31,37,2f,30,31,2f,32,30,31,34,20,31,35,3a,31,35,3a,31,33,00, ("17/01/2014 15:15:13")
  • HKEY_CURRENT_USERSoftwareXtremeRAT Mutex hex(2):6f,41,57,4c,58,36,39,69,44,47,4a,52,7a,6f,50,6b,45,58,00, ("oAWLX69iDGJRzoPkEX")
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.dat
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKCU hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,49,6e,73,74,61,6c,6c,44,69,72,5c,53,65,72,76,65,72,2e,65,78,65,00, ("C:WINDOWSInstallDirServer.exe")

The Trojan injects code [Detected as GAV: Remtasu.G (Trojan)] into a new instance of svchost and firefox (if installed). It then initiates the code using the CreateRemoteThread API call:

The Trojan then uses built in Windows API's to set up keystroke logging hooks and start Xtremekeylogger:

The Xtremekeylogger component monitors keystroke and clipboard activity and stores the data in oAWLX69iDGJRzoPkEX.dat. The file is encrypted:

The encryption algorithm is nothing but single-byte xor using an 8-bit key (0x13). We were easily able to decrypt the file and expose the data which is stored in HTML format:

The infected svchost instance was observed checking for the presence of popular games on the system:

Although the sample we analysed did not produce any network activity, it can be assumed that the file is sent to a remote server later on.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Remtasu.G (Trojan)
  • GAV: Remtasu.A (Trojan)