Microsoft Security Intelligence researchers uncovered a malware campaign that is spreading a remote access trojan (RAT) tracked as STRRAT. The RAT was designed to steal data from victims while masquerading as a ransomware attack.
The Java-based STRRAT RAT was distributed in a massive spam campaign, the malware shows ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.
According to Microsoft threat actors behind the campaign used compromised email accounts to send out spam messages containing an image that posed as a PDF attachment.
Upon opening the image, the malicious code connects to a domain to download the STRRAT RAT.
Researchers noticed that STRRAT version 1.5 is notably more obfuscated and modular than previous versions. The malware supports multiple features such as collecting browser passwords, running remote commands and PowerShell, and logging keystrokes.
STRRAT RAT was first spotted in June 2020 by G DATA who documented its features.
“The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.” reads the report published by the experts.
G DATA experts discovered that the malware only renames files by appending the .crimson extension.
“However, the so called “encryption” only renames files by appending the .crimson extension. This might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.” continues the report. “There is no ransom note template in the client of the RAT. The attacker can display anything they like with the show-msg command. It is possible that the server provides ransom note templates.”
Microsoft researchers also published hunting queries to help defenders locate indicators and malicious behaviors associated with the STRRAT RAT.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, STRRAT RAT)
[adrotate banner=”5″]
[adrotate banner=”13″]
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
This website uses cookies.