Connect with us

Hi, what are you looking for?



Xtreme RAT Targets Israeli Government, Infected Police Force

Security firm Trend Micro said late Monday that it has obtained samples of the malware that is assumed to be responsible for infecting systems at the Israeli police department and effectively knocking them offline.

Security firm Trend Micro said late Monday that it has obtained samples of the malware that is assumed to be responsible for infecting systems at the Israeli police department and effectively knocking them offline.

According to the Times of Israel, the attack was significant enough to have forced all police depart computers to be taken offline temporarily on Oct. 25.

The malware reportedly penetrated the police force via a malicious email with a .RAR archive attached. The email purported to be sent from, Benny Gatz, the head of the Israel Defense Forces, using the email address “bennygantz59(at)” and using subject line of “IDF strikes militants in Gaza Strip following rocket barrage”.

Benny Gantz Email

According to Trend Micro, the .RAR attachment included malware, which after being analyzed by Trend Researchers, was determined to include a backdoor using the Xtreme Remote Access Trojan (RAT) or “Xtreme RAT”.

Popular RATs include DarkComet and PoisonIvy, while many other lesser-known RATs exist, such as the PlugX RAT (sometimes called Flowershow) that targeted defense firms using a recently-discovered IE Zero-day. In late September, researchers from AlienVault connected the PlugX attacks to China, going as far as naming the author of the malware after decoding the RAT.

In the case of the attacks against the Israeli Police Force, Roni Bachar, from Israeli security firm Avnet, told the Times of Israel that servers and PCs might have been compromised for as long as a week before the infection was discovered. “It was only late Wednesday night that police realized what happened and ordered that computers be taken offline. Apparently the virus was also distributed to other government departments,” Bachar told the Times.

When Trend Micro analyzed the headers from the malicious emails used to conduct the attack, they determined that the targets were likely to have been within the Israeli Customs agency.

Advertisement. Scroll to continue reading.

Detected by Trend Micro as BKDR_XTRAT.B, the backdoor used in the attacks appears to be the newest version of Xtreme RAT which is compatible with Microsoft’s new Windows 8 operating system, has enhanced audio and desktop capture capabilities, and brings improved Chrome and Firefox password grabbing, while still maintaining the ability to grab passwords from Opera and Apple’s Safari Web browsers.

In terms of attribution, it’s unclear who is behind the attack, but Bachar has his suspicions.

“The pattern of the attack and the type of virus used were very similar to other cases of attacks which were found to have been sponsored by governments,” Bachar told the Times. “At this point, I think we can be fairly certain that it was sponsored by a nation-state, most likely Iran,” he added.

While many recent global attacks have resulted at fingers being pointed at China and the United States, Iran is being viewed as increasingly aggressive, and being blamed for recent attacks against US financial institutions and a high a profile attack against Saudi oil giant Aramco that erased critical files on about 30,000 of its computers, as well as attacks against Qatari natural gas firm RasGas.

According to recent reports, American officials have “more than a suspicion” that Iran was to blame for the Aramco attacks, that also possibly included recent denial of service attacks on some US banks, according to James Lewis, a senior fellow at the Center for Strategic and International Studies think tank.

According to security firm F-Secure, the Xtreme RAT also appears to have been used in attacks that targeted Syrian anti-government activists. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...