A closer look at XtremeRATs Keylogger component (Jan 24, 2014)


The Dell Sonicwall Threats Research team has looked at the keylogger component of the XtremeRAT Trojan. The Trojan was previously in the news for being used in attacks against government networks in late 2012. The sample we analysed uses a component called Xtremekeylogger and has the ability to monitor keystrokes and steal clipboard data. It also steals gaming related data if installed on the system.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %WINDIR%InstallDirServer.exe [Detected as GAV: Remtasu.G (Trojan)]
  • %APPDATA%oAWLX69iDGJRzoPkEX.dat [keylog file]

The Trojan adds the following keys to the Windows registry:

  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareXtremeRAT Mutex hex(2):6f,41,57,4c,58,36,39,69,44,47,4a,52,7a,6f,50,6b,45,58,00, (“oAWLX69iDGJRzoPkEX”)
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.dat
  • HKEY_CURRENT_USERSoftwareoAWLX69iDGJRzoPkEX ServerStarted hex(2):31,37,2f,30,31,2f,32,30,31,34,20,31,35,3a,31,35,3a,31,33,00, (“17/01/2014 15:15:13”)
  • HKEY_CURRENT_USERSoftwareXtremeRAT Mutex hex(2):6f,41,57,4c,58,36,39,69,44,47,4a,52,7a,6f,50,6b,45,58,00, (“oAWLX69iDGJRzoPkEX”)
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.dat
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKCU hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,49,6e,73,74,61,6c,6c,44,69,72,5c,53,65,72,76,65,72,2e,65,78,65,00, (“C:WINDOWSInstallDirServer.exe”)

The Trojan injects code [Detected as GAV: Remtasu.G (Trojan)] into a new instance of svchost and firefox (if installed). It then initiates the code using the CreateRemoteThread API call:

The Trojan then uses built in Windows API’s to set up keystroke logging hooks and start Xtremekeylogger:

The Xtremekeylogger component monitors keystroke and clipboard activity and stores the data in oAWLX69iDGJRzoPkEX.dat. The file is encrypted:

The encryption algorithm is nothing but single-byte xor using an 8-bit key (0x13). We were easily able to decrypt the file and expose the data which is stored in HTML format:

The infected svchost instance was observed checking for the presence of popular games on the system:

Although the sample we analysed did not produce any network activity, it can be assumed that the file is sent to a remote server later on.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Remtasu.G (Trojan)
  • GAV: Remtasu.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.