Researchers at Microsoft Security Intelligence discovered a malware campaign that is spreading a Remote Access Trojan (RAT) registered as STRRAT. The RAT was designed to steal data from victims while posing as a ransomware attack. StrRAT is a Java-based remote access tool that steals browser credentials, logs keystrokes, and takes remote control of infected systems – all typical RAT behaviors.
This threat has a module to download an additional payload on the infected machine according to the command of the command and control server (C2). Furthermore, something that stands out about this threat is that it has a unique feature that is not common to this type of malware: “a ransomware encryption / decryption module” that changes file names in a way that suggests that the next step is encryption. However, StrRAT does not fulfill this function, “adding the file name extension .crimson to the files without actually encrypting them”.
According to Microsoft, the threat actors behind the campaign used compromised email accounts to send spam messages that contained an image posing as a PDF attachment. When the image is opened, the malicious code connects to a domain to download STRRAT RAT.
To launch the campaign, the attackers used compromised email accounts to send several different emails. Some of the messages use the subject line “Outgoing payments”. Others refer to a specific payment supposedly made by the “Accounts Payable Department”, which is the way emails are signed.
The version of the RAT that the researchers looked at was 1.5, which is “notably more confusing and modular than previous versions,” according to one of the tweets. However, it maintains the same backdoor functions as previous versions of StrRAT that researchers have observed. These include collecting browser passwords, executing PowerShell and remote commands, and logging keystrokes, among others, we have always said it when you receive emails that make you doubt do not open them and delete them, do not risk it.
See also:
AHK, the new malicious RAT distribution campaign
RAT is a very Dangerous Malware
