An ongoing malware campaign has been discovered that is spreading a Java-based RAT identified as STRRAT. It was developed to steal information from victims while portraying itself as ransomware. STRRAT was first observed in June last year by G DATA.

What has happened?

According to Microsoft researchers, the STRRAT RAT was spreading in a massive spam campaign and is masquerading as ransomware.
  • The attackers behind the campaign used compromised email accounts to send out spam messages, including an image that was portrayed as a PDF attachment.
  • When an unsuspecting recipient opens the image, the malicious code makes a connection to a domain for downloading STRRAT.
  • The latest version of STRRAT (v1.5) is more obfuscated and modular than the previous one. It supports various features such as logging keystrokes, collecting browser passwords, and running remote commands and PowerShell.
  • The RAT focuses on stealing credentials of browsers (IE, Chrome, Firefox) and email clients (Outlook, Thunderbird, Foxmail). Additionally, it attempts to target German customers.

Additional insights

Experts from G DATA observed that the malware only modifies files by adding the .crimson extension. However, it only renames files by adding the extension, without actually encrypting the data.
  • This trick could easily fool users because now the renamed files cannot be opened anymore by simply double-clicking. However, if the extension is removed, the files can be used as usual, and there is no ransom note in the client of the RAT.
  • In addition, the initial payload of this malware is a JAR file obfuscated by the Allatori tool. Allatori encrypts most of the strings in the file with AES.

Bottom line

The malware campaign is ongoing and actively targeting Windows-based system users via spam emails. Therefore, organizations should stay alert and provide training to their employees to spot phishing emails or deploy spam email gateways to spam out such emails at the initial level.

Cyware Publisher