A large malware marketing campaign pushed the Java-based STRRAT distant entry trojan (RAT), recognized for its information theft capabilities and the flexibility to faux ransomware assaults.
In a collection of tweets, the Microsoft Security Intelligence team outlined how this “large e-mail marketing campaign” unfold the faux ransomware payloads utilizing compromised e-mail accounts.
The spam emails lured the recipients into opening what appeared like PDF attachments however as an alternative have been pictures that downloaded the RAT malware when clicked.
“The emails contained a picture that posed as a PDF attachment however, when opened, linked to a malicious area to obtain the STRRAT malware,” Microsoft mentioned.
“This RAT is notorious for its ransomware-like conduct of appending the file title extension .crimson to information with out really encrypting them.”
Because the Microsoft Safety Intelligence staff talked about of their tweets, the STRRAT malware is designed to faux a ransomware assault whereas stealing its victims’ information within the background.
G DATA malware analyst Karsten Hahn mentioned in June 2020 that the malware infects Home windows units by way of e-mail campaigns pushing malicious JAR (Java ARchive) packages that ship the lastly RAT payload after going by means of two phases of VBScript scripts.
STRRAT logs keystrokes, permits its operators to run instructions remotely and harvests delicate info together with credentials from e-mail shoppers and browsers together with Firefox, Web Explorer, Chrome, Foxmail, Outlook, and Thunderbird.
It additionally offers attackers with distant entry to the contaminated machine by putting in the open-source RDP Wrapper Library (RDPWrap), enabling Distant Desktop Host help on compromised Home windows programs.
Nonetheless, the factor that makes it stand out from different RATs is the ransomware module that does not encrypt any of the victims’ information however will solely append the “.crimson” extension to information.
Whereas this does not block entry to the information’ contents, some victims may nonetheless get fooled and, probably, give in to attackers’ ransom calls for.
“This may nonetheless work for extortion as a result of such information can’t be opened anymore by double-clicking,” Hahn said.
“Home windows associates the proper program to open information by way of their extension. If the extension is eliminated, the information will be opened as common.”
As Microsoft discovered whereas analyzing final week’s large STRRAT marketing campaign, the malware builders have not stopped enhancing it, including extra obfuscation and increasing its modular structure.
Nonetheless, the RAT’s fundamental performance remained mostly untouched, as it’s nonetheless used to steal browser and e-mail shopper credentials, working distant instructions or PowerShell scripts, and logging victims’ keystrokes.