XtremeRAT - When Unicode Breaks

XtremeRAT is a commonly abused remote administration tool that is prevalent in the Middle East; prevalent to the degree that it is not uncommon to find at least one active RAT in a network on any given incident response engagement. The tool is readily available to anyone with a desire to build one on their own. Availability means that the RAT is being employed for nefarious purposes by adversaries ranging from those who do not fully comprehend the consequences of their actions, to advanced threat actors that care less about legal aspects and more about the objectives of their respective missions. One of the tools provided by XtremeRAT to aid in achieving these goals is a built-in Unicode keylogging capability; however, there are situations when the logging fails, resulting in incomprehensible keylogs. The data, or parts thereof, that are captured in these logs can still be recovered, and it is vital to the defender to understand what data has potentially been stolen. The objective of this paper is to shed light on the challenges posed in extracting useful information from the logs when non-Latin character sets, specifically Arabic, are used, and to publish an author-developed tool that can aid in decoding the broken parts of extracted keylogs.