Microsoft Security Intelligence researchers uncovered a malware campaign that is spreading a remote access trojan (RAT) tracked as STRRAT. The RAT was designed to steal data from victims while masquerading as a ransomware attack.
The Java-based STRRAT RAT was distributed in a massive spam campaign, the malware shows ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.
According to Microsoft threat actors behind the campaign used compromised email accounts to send out spam messages containing an image that posed as a PDF attachment.
Upon opening the image, the malicious code connects to a domain to download the STRRAT RAT.
Researchers noticed that STRRAT version 1.5 is notably more obfuscated and modular than previous versions. The malware supports multiple features such as collecting browser passwords, running remote commands and PowerShell, and logging keystrokes.
STRRAT RAT was first spotted in June 2020 by G DATA who documented its features.
“The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.” reads the report published by the experts.
G DATA experts discovered that the malware only renames files by appending the .crimson extension.
“However, the so called “encryption” only renames files by appending the .crimson extension. This might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.” continues the report. “There is no ransom note template in the client of the RAT. The attacker can display anything they like with the show-msg command. It is possible that the server provides ransom note templates.”
Microsoft researchers also published hunting queries to help defenders locate indicators and malicious behaviors associated with the STRRAT RAT.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, STRRAT RAT)
[adrotate banner=”5″]
[adrotate banner=”13″]