Home / malwarePDF  

Backdoor:Win32/Xtrat


First posted on 24 May 2019.
Source: Microsoft

Aliases :

Backdoor:Win32/Xtrat is also known as W32/Rbot.A.gen!Eldorado, Win32/Remtasu.V, winpe/Xtreme.L.

Explanation :

This backdoor is a remote access tool (RAT) that is used by malware authors to install malware on your PC.

Installation

When run, it drops copy to varying folder location using random filename. Among possible folder locations are:

%SystemRoot% %APPDATA%

For example, we have seen it drop server.exe to the folder InstallDir.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components{5460C4DF-B266-909E-CB58-E32B79832EB2}StubPath
Sets value: "installserver.exe restart"

It may open a new prcocess and inject code into it. It may do this to try to hide from security software.

Spreads through

Removable drives

It can create copies of itself on removable drives, such as USB flash drives.

It creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs. 

File sharing websites

The threat might be downloaded from a file sharing website. You might try to download an app, and instead have this malware installed on your PC.

Payload

Steals sensitive data

This threat can:

Install a keylogger on the computer, to record what you type on your keyboard (including passwords). Capture screenshots of your desktop Record images from your webcam Record audio from your webcam or microphone

It can regularly send the collected report to a remote server. We have seen it try to connect to the following servers:

58.138.194.5 googlechrom2e.linkpc.net sercan860.zapto.org

It might use IP redirection or masking services to hide the server.

Additional information

The threat creates the following mutexes:

((Mutex)) XTREMEUPDATE

These can be infection markers to prevent more than one copy of the threat running on your PC.

Analysis by Mihai Calota

Last update 24 May 2019

 

TOP

Malware :