Java-based STRRAT Malware RAT Attack Windows Users

Recently, a new malware campaign, STRRAT has been detected by the Microsoft security team, as per the security experts, the hackers are distributing a remote access Trojan (RAT) through this malware.

This malware is stealing data from the infected systems, and not only this but the malware is remarkable, as it always conceals itself as ransomware.

The researchers at the Microsoft security team have investigated the malware and realized that this malware can work as a backdoor on every affected host.

The operators of this malware have specifically designed this malware to steal the credentials from the infected Windows systems. However, this is not the first time when experts detected this malware, as STRRAT has been initially detected in 2020.

And the previous technical report claims that this malware had got a wide range of functions, that helps it to steal credentials and modify all local files on the infected machines.

Bot only that even the experts at Microsoft has also claimed that the STRRAT version 1.2, is currently witnessing a massive campaign so that they can distribute its STRRAT version 1.5.

Infection chain

In this malware campaign, the threat actors have used all the negotiated email account, and the main reason behind this is to transfer different emails accordingly.

However, the emails have different messages and subjects, thus some subjects lines are like “Outgoing Payments.” Apart from this, there are many other subjects like “Accounts Payable Department”, and that’s how every email was assigned by the hackers to achieve all their desired goals.

In this campaign, the threat actors use social engineering for all payment receipts in their email subjects, and the main motive of the hackers for doing this is to motivate people so that they will click on an attached file of malicious intent, that is masked as a legitimate file.

It enables the Remote Desktop Host support and installs the open-source RDP Wrapper Library (RDPWrap) on the compromised systems to provide remote access to its operators.

The latest version of the Java-based STRRAT malware (1.5) was seen being distributed in a massive email campaign last week. This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them. pic.twitter.com/mGow2sJupN
— Microsoft Threat Intelligence (@MsftSecIntel) May 19, 2021

Browser affected

The operators of the STRRAT can easily run commands and harvest sensitive information on the infected systems remotely, as it has the ability to log all the keystrokes on the infected systems.

To exfiltrate sensitive data like credentials and run commands remotely the operators of STRRAT can abuse the major email clients and browsers like:-

Mozilla Firefox
Internet Explorer
Google Chrome
Foxmail
Microsoft Outlook
Thunderbird

Mitigation

Moreover, the cybersecurity analysts of the Microsoft security team have also mentioned some common mitigation to bypass this malware. As told that the Microsoft 365 Defender can help the victims to bypass the STRRAT malware campaign.

Even they have also apprehended that the hackers are keeping their bogus encryption behavior in the same signal. So, in this meantime, the threat actors are aiming to make a lump-sum amount of money in a short period of time money through extortion.

The machine learning-based protections on the Microsoft 365 Defender detect blocks the malware on endpoints and directly alert the security experts regarding the malware.

Apart from all these things, the experts have also noted that the threat actors have added more obfuscation in this malware and expanded its modular architecture.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.