STRRAT RAT spreads masquerading as ransomware

Microsoft warns of a malware campaign that is spreading a RAT dubbed named STRRAT masquerading as ransomware.

Microsoft Security Intelligence researchers uncovered a malware campaign that is spreading a remote access trojan (RAT) tracked as STRRAT. The RAT was designed to steal data from victims while masquerading as a ransomware attack.

The Java-based STRRAT RAT was distributed in a massive spam campaign, the malware shows ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.

According to Microsoft threat actors behind the campaign used compromised email accounts to send out spam messages containing an image that posed as a PDF attachment.

Upon opening the image, the malicious code connects to a domain to download the STRRAT RAT.

Researchers noticed that STRRAT version 1.5 is notably more obfuscated and modular than previous versions. The malware supports multiple features such as collecting browser passwords, running remote commands and PowerShell, and logging keystrokes.

STRRAT RAT was first spotted in June 2020 by G DATA who documented its features.

“The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.” reads the report published by the experts.

G DATA experts discovered that the malware only renames files by appending the .crimson extension.

“However, the so called “encryption” only renames files by appending the .crimson extension. This might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.” continues the report. “There is no ransom note template in the client of the RAT. The attacker can display anything they like with the show-msg command. It is possible that the server provides ransom note templates.”

Microsoft researchers also published hunting queries to help defenders locate indicators and malicious behaviors associated with the STRRAT RAT.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, STRRAT RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.