Microsoft warned of fake ransomware attacks – STRRAT Java Trojan

STRRAT Java Trojan
STRRAT Java Trojan
Written by Emma Davis

Microsoft has recorded a major campaign to distribute the STRRAT Java Trojan, which provides remote access (RAT) to its operators. This malware is known to steal data from victims, while simultaneously misleading it by simulating a ransomware attack.

A team of Microsoft researchers dedicated a series of tweets to a “massive email campaign” spreading the fake ransomware. To do this, the attackers used compromised electronic mailboxes.

Malicious emails were trying to force the recipient to open an attachment disguised as a PDF document. In fact, in this way, a Trojan was downloaded to the victim’s computer, providing the operator with remote access.

The cybercriminals attached a file to the letters, which they passed off as PDF. When the attachment was opened, the malware contacted the attacker’s domain and downloaded a Trojan to the recipient’s system. The latter, by the way, is famous for imitating the actions of the ransomware, since it has the habit of adding the “.crimson” extension to the user’s files. The files themselves are not encrypted.explained by Microsoft experts

G DATA malware analyst Karsten Hahn said in June 2020 that the malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.

STRRAT Trojan Spam Email

STRRAT Spam (Image from Microsoft)

STRRAT logs keystrokes, allows its operators to run commands remotely, and harvests sensitive information including credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

It also provides attackers with remote access to the infected machine by installing the open-source RDP Wrapper Library (RDPWrap), enabling Remote Desktop Host support on compromised Windows systems.

STRRAT Infection Chain

STRRAT Infection Chain (from G DATA)

The version number “1.2” and the fact that this malware doesn’t seem to be described before indicates that this RAT is a fairly new player in the wild. The infection chain is not well thought out as it makes void certain features of the intermediate layers in the chain. Also haven’t seen any ransomware reports involving this RAT. Maybe the, for now, badly implemented ransomware module is just the first version of it.

The telemetry shows infection attempts on German customers. It should be noted that the number of potentially vulnerable systems is limited by the current infection chain.

  • Even though it is Java based, the RAT only works on Windows
  • Even though preparations have been made to overcome this, the current chain still needs a pre-installed JRE
  • Outlook blocks the email attachment

Expected that the second and third limitations may be removed soon because they are already prepared or easily implemented. The limitation on Windows however would require too many code modifications.

STRRAT features and command listing

The following table shows a list of all available commands.

CommandDescription
rebootReboots the infected system
shutdownShuts down the infected system
uninstallRemoves persistence of the RAT by deleting the scheduled task and autorun entries in the registry.
disconnectCloses the connection
down-n-execDownloads a file from a given URL and executes it
updateDisconnects, then executes a given file in the start menu.
up-n-execExecutes a file given by name. Chooses the appropriate runtime environment for files with .jar, .js, .vbs or .wsf extension. Every other file is executed with cmd.exe /c.
remote-cmdExecutes commands with cmd.exe
power-shellExecutes commands with powershell.exe
file-managerProvides commands to navigate, upload, download, delete and open files
keyloggerLogs keystrokes and sends them immediately
o-keyloggerStarts offline keylogger which saves logged keystrokes to a text file on the infected system
processesCreate a process listing
startup-listUses WMI to compile a list of autorun entries
remote-screenRemote control the infected computer
rev-proxyReverse proxy
hrdp-newDownloads and installs HRDPInst.exe[5] which stands for “Hidden RDP Installer”. Download URL hxxp://wshsoft.company/multrdp(.)jpg
hrdp-resSame as hrdp-new, but takes an argument containing a user name. The session for this user is logged off.
chrome-passExtracts Chrome credentials
foxmail-passExtracts Foxmail credentials
outlook-passExtracts Outlook credentials
fox-passExtracts Firefox credentials
tb-passExtracts Thunderbird credentials
ie-passExtracts Internet Explorer credentials
all-passExtracts all credentials
chk-privReturns whether it is run as administrator or user
req-privRun as administrator
rw-encryptAppends “.crimson” extension to files on the system
rw-decryptRemoves “.crimson” extension from files on the system
show-msgDisplay a message with notepad.exe
In fact, the tricks with the extension and allegedly encrypting files are used solely to distract the user’s attention, because at the same time, in the background, the malware steals important files and transfers them to the operator.

As you see, STRRAT can record keystrokes, allows attackers to remotely run commands, and extract important information such as credentials from email clients and from browsers Firefox, Internet Explorer, Chrome.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending