Molerats campaign turns to Xtreme RAT to target orgs

Attackers targeting organizations across the globe are now opting to use a freely available remote access trojan called Xtreme RAT for their exploits.

On Monday, researchers at FireEye detailed in a blog post how the attack campaign, dubbed “Molerats,” has been ongoing since October 2011.

Over the years, saboteurs have leveraged other free RATs, like Poison Ivy, to gain access to victims' networks. But new attacks occurring between April and May made use of XtremeRAT – which gives hackers the ability to upload or download files, manipulate running processes or services on the targeted machine, and record using connected devices, such as webcams or microphones, FireEye revealed.

Recent targets include government departments in the U.S., UK, Israel, Turkey and other countries, as well as a major U.S. financial institution. The British Broadcasting Corporation (BBC) was also among the targeted organizations, the blog post said.

In a Tuesday interview with, Nart Villeneuve, senior threat intelligence researcher at FireEye, said that attackers used phishing tactics – email ruses containing malicious URLs or attachments – to deliver XtremeRAT to targets.

“It shows the barrier to entry is quite low,” Villeneuve said. “[Operations] like Molerats have been conducting these kind of campaigns for several years now and largely sticking to the same tactics, which probably means they are attaining a certain amount of success without enhancing their capabilities.”

The location of threat actors has not been confirmed, but FireEye has noted trends that helped them attribute attacks to the same group.

In previous attacks, for instance, the group attempted to forge certificates so that malware could skirt detection, Villeneuve said. Keeping in line with this tactic, malware that FireEye detected in the spring attacks appeared to be signed with a certificate from security vendor Kaspersky Lab. 

While FireEye has not determined whether the group's central aim is cyber espionage, Villeneuve did say that the Molerats attacks “appear to be targeted.”

"It's not a typical cyber crime operation, where they are looking to make money through credit card fraud, or something like that. But we are still short of understanding the exact motivation of this particular group,” Villeneuve said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.