Internet vermin alert

Xtreme RAT bites Israeli government sites, yet again

Palestinian hacktivists strike Israel once more with a particular brand of malware that has a worrisome knack for success

Screenshot of an online sales site where hackers can buy Xtreme RAT (Photo credit: Courtesy Seculert)
Screenshot of an online sales site where hackers can buy Xtreme RAT (Photo credit: Courtesy Seculert)

Palestinian activists last month successfully breached the security system of the Civil Administration of Judea and Samaria, the government agency that deals with all administrative matters in Area A of the West Bank. Israeli security company Seculert said that the hack — the same one that brought down the servers of the Israel Police for more than a week in 2012 — was inserted into the Civil Administration’s servers using a “spear phishing” attack. In such a case, a user opens up an innocuous looking document that contains malware, which essentially turns the network the user is on into a “virtual candy store,” where hackers can swipe data at will.

The exploit, called Xtreme RAT, is a very small piece of malware that can easily be attached to documents, PDFs, graphics, or other attachments sent via email. As exploits go, said Aviv Raff, Seculert CEO, this is relatively unsophisticated. It’s “available off the shelf for purchase by any hacker, for not too much money,” he said, but once installed in a network, it lets hackers open back doors through which they can siphon off information.

Xtreme RAT has been used successfully on other occasions too. Last year it was sent out in a message allegedly from the IDF spokesperson, and it has been included in numerous messages with attached clipped web pages about politics, terrorism, and other security issues.

Yet despite its common provenance, Xtreme RAT has proven to be one of the more persistent (long-lasting) threats against Israel used by Palestinian hackers — because the email messages and documents it gets attached look like the “real thing.” In October 2012, an email message was passed around the central headquarters of the Israeli police with a compressed (.RAR format) file. When the file was opened, it released Xtreme RAT onto the system, and the malware quickly ensconced itself on several servers, with data offloaded to a server in the US. Although police never confirmed how much information was purloined, the breach was significant enough to shut down communications with the outside world (and, of course, the hackers’ connection) for more than a week.

In the latest attack, Xtreme RAT was attached to several email messages — one a report about terrorist activities, and the second an article from the web site about Ariel Sharon. Both reports were in Hebrew, and the second one was sent within days of Sharon’s death in January.

For the observant, said Raff, there were broad clues that the messages were suspect. For one thing, he said, “closer examination of the spear phishing emails revealed that the attackers are not native Hebrew speakers and most likely copied and altered incomplete text to create the subject of the email,” with words misspelled, syntax and grammatical errors, and other language-related foibles. In addition, the email addresses the documents were sent from — “” — should have been a giveaway as well. Surely the Shabak (Israel Security Service), a large and well-known security organization, would not resort to using a garden-variety Gmail account for its secure communications (Raff said that the report on terrorism was publicly available on numerous web sites).

Israel hasn’t been its only victim. The exploit has been used to attack Palestinian media and PA government sites as well, using the same phishing methods that hook Israelis into installing the malware onto networks.

It was inserted, for example, into numerous messages sent in 2011 and 2012 to news agencies located in Ramallah and Gaza, and to official Palestinian Authority web sites based in Ramallah. In a report, French security company Norman cited an example of how the malware was distributed – via an image that purported to show Gilad Shalit in his cell in Gaza (this video was still being distributed last year, after Shalit was freed). “This image could be aimed at Israelis, but the image itself has been mostly shown on Arabic/Palestinian sites like, a news agency located in Gaza,” the company said, indicating it was probably aimed at Palestinians.

Success breeds success, when it comes to hacking. If it worked once, it’s likely to work again, and to help Israelis avoid falling victim to Xtreme RAT, Raff is holding a seminar which will discuss ways to detect and avoid falling victim to the malware. For most of us, though, the answer is simple. “If it looks like a rat and smells like a rat, it just might be a rat,” said Raff; if the Hebrew (or English) looks “funny,” or the sender’s address isn’t up to snuff, just don’t click on a message’s attachments, he added.

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed