Saturday, October 12, 2024
HomeMalwareJava-based STRRAT Malware RAT Attack Windows Users by Mimics as Ransomware

Java-based STRRAT Malware RAT Attack Windows Users by Mimics as Ransomware

Published on

Malware protection

Recently, a new malware campaign, STRRAT has been detected by the Microsoft security team, as per the security experts, the hackers are distributing a remote access Trojan (RAT) through this malware.

This malware is stealing data from the infected systems, and not only this but the malware is remarkable, as it always conceals itself as ransomware.

The researchers at the Microsoft security team have investigated the malware and realized that this malware can work as a backdoor on every affected host. 

- Advertisement - SIEM as a Service

The operators of this malware have specifically designed this malware to steal the credentials from the infected Windows systems. However, this is not the first time when experts detected this malware, as STRRAT has been initially detected in 2020. 

And the previous technical report claims that this malware had got a wide range of functions, that helps it to steal credentials and modify all local files on the infected machines.

Bot only that even the experts at Microsoft has also claimed that the STRRAT version 1.2, is currently witnessing a massive campaign so that they can distribute its STRRAT version 1.5.

Infection chain

In this malware campaign, the threat actors have used all the negotiated email account, and the main reason behind this is to transfer different emails accordingly.

However, the emails have different messages and subjects, thus some subjects lines are like “Outgoing Payments.” Apart from this, there are many other subjects like “Accounts Payable Department”, and that’s how every email was assigned by the hackers to achieve all their desired goals.

In this campaign, the threat actors use social engineering for all payment receipts in their email subjects, and the main motive of the hackers for doing this is to motivate people so that they will click on an attached file of malicious intent, that is masked as a legitimate file.

It enables the Remote Desktop Host support and installs the open-source RDP Wrapper Library (RDPWrap) on the compromised systems to provide remote access to its operators.

Browser affected

The operators of the STRRAT can easily run commands and harvest sensitive information on the infected systems remotely, as it has the ability to log all the keystrokes on the infected systems.

To exfiltrate sensitive data like credentials and run commands remotely the operators of STRRAT can abuse the major email clients and browsers like:-

  • Mozilla Firefox
  • Internet Explorer
  • Google Chrome
  • Foxmail
  • Microsoft Outlook
  • Thunderbird

Mitigation

Moreover, the cybersecurity analysts of the Microsoft security team have also mentioned some common mitigation to bypass this malware. As told that the Microsoft 365 Defender can help the victims to bypass the STRRAT malware campaign. 

Even they have also apprehended that the hackers are keeping their bogus encryption behavior in the same signal. So, in this meantime, the threat actors are aiming to make a lump-sum amount of money in a short period of time money through extortion.

The machine learning-based protections on the Microsoft 365 Defender detect blocks the malware on endpoints and directly alert the security experts regarding the malware.

Apart from all these things, the experts have also noted that the threat actors have added more obfuscation in this malware and expanded its modular architecture.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...