Home / malware Backdoor:Win32/Xtrat
First posted on 24 May 2019.
Source: MicrosoftAliases :
Backdoor:Win32/Xtrat is also known as W32/Rbot.A.gen!Eldorado, Win32/Remtasu.V, winpe/Xtreme.L.
Explanation :
This backdoor is a remote access tool (RAT) that is used by malware authors to install malware on your PC.
Installation
When run, it drops copy to varying folder location using random filename. Among possible folder locations are:
%SystemRoot%%APPDATA%
For example, we have seen it drop server.exe to the folder InstallDir.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components{5460C4DF-B266-909E-CB58-E32B79832EB2}StubPath
Sets value: "installserver.exe restart"
It may open a new prcocess and inject code into it. It may do this to try to hide from security software.
Spreads through
Removable drives
It can create copies of itself on removable drives, such as USB flash drives.
It creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
File sharing websites
The threat might be downloaded from a file sharing website. You might try to download an app, and instead have this malware installed on your PC.
Payload
Steals sensitive data
This threat can:
Install a keylogger on the computer, to record what you type on your keyboard (including passwords). Capture screenshots of your desktop Record images from your webcam Record audio from your webcam or microphone
It can regularly send the collected report to a remote server. We have seen it try to connect to the following servers:
58.138.194.5 googlechrom2e.linkpc.net sercan860.zapto.org
It might use IP redirection or masking services to hide the server.
Additional information
The threat creates the following mutexes:
((Mutex)) XTREMEUPDATE
These can be infection markers to prevent more than one copy of the threat running on your PC.
Analysis by Mihai CalotaLast update 24 May 2019