Microsoft warned of fake ransomware attacks – STRRAT Java Trojan

STRRAT Java Trojan
STRRAT Java Trojan
Written by Emma Davis

Microsoft has recorded a major campaign to distribute the STRRAT Java Trojan, which provides remote access (RAT) to its operators. This malware is known to steal data from victims, while simultaneously misleading it by simulating a ransomware attack.

A team of Microsoft researchers dedicated a series of tweets to a “massive email campaign” spreading the fake ransomware. To do this, the attackers used compromised electronic mailboxes.

Malicious emails were trying to force the recipient to open an attachment disguised as a PDF document. In fact, in this way, a Trojan was downloaded to the victim’s computer, providing the operator with remote access.

The cybercriminals attached a file to the letters, which they passed off as PDF. When the attachment was opened, the malware contacted the attacker’s domain and downloaded a Trojan to the recipient’s system. The latter, by the way, is famous for imitating the actions of the ransomware, since it has the habit of adding the “.crimson” extension to the user’s files. The files themselves are not encrypted.explained by Microsoft experts

G DATA malware analyst Karsten Hahn said in June 2020 that the malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.

STRRAT Trojan Spam Email

STRRAT Spam (Image from Microsoft)

STRRAT logs keystrokes, allows its operators to run commands remotely, and harvests sensitive information including credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

It also provides attackers with remote access to the infected machine by installing the open-source RDP Wrapper Library (RDPWrap), enabling Remote Desktop Host support on compromised Windows systems.

STRRAT Infection Chain

STRRAT Infection Chain (from G DATA)

The version number “1.2” and the fact that this malware doesn’t seem to be described before indicates that this RAT is a fairly new player in the wild. The infection chain is not well thought out as it makes void certain features of the intermediate layers in the chain. Also haven’t seen any ransomware reports involving this RAT. Maybe the, for now, badly implemented ransomware module is just the first version of it.

The telemetry shows infection attempts on German customers. It should be noted that the number of potentially vulnerable systems is limited by the current infection chain.

  • Even though it is Java based, the RAT only works on Windows
  • Even though preparations have been made to overcome this, the current chain still needs a pre-installed JRE
  • Outlook blocks the email attachment

Expected that the second and third limitations may be removed soon because they are already prepared or easily implemented. The limitation on Windows however would require too many code modifications.

STRRAT features and command listing

The following table shows a list of all available commands.

Command Description
reboot Reboots the infected system
shutdown Shuts down the infected system
uninstall Removes persistence of the RAT by deleting the scheduled task and autorun entries in the registry.
disconnect Closes the connection
down-n-exec Downloads a file from a given URL and executes it
update Disconnects, then executes a given file in the start menu.
up-n-exec Executes a file given by name. Chooses the appropriate runtime environment for files with .jar, .js, .vbs or .wsf extension. Every other file is executed with cmd.exe /c.
remote-cmd Executes commands with cmd.exe
power-shell Executes commands with powershell.exe
file-manager Provides commands to navigate, upload, download, delete and open files
keylogger Logs keystrokes and sends them immediately
o-keylogger Starts offline keylogger which saves logged keystrokes to a text file on the infected system
processes Create a process listing
startup-list Uses WMI to compile a list of autorun entries
remote-screen Remote control the infected computer
rev-proxy Reverse proxy
hrdp-new Downloads and installs HRDPInst.exe[5] which stands for “Hidden RDP Installer”. Download URL hxxp://wshsoft.company/multrdp(.)jpg
hrdp-res Same as hrdp-new, but takes an argument containing a user name. The session for this user is logged off.
chrome-pass Extracts Chrome credentials
foxmail-pass Extracts Foxmail credentials
outlook-pass Extracts Outlook credentials
fox-pass Extracts Firefox credentials
tb-pass Extracts Thunderbird credentials
ie-pass Extracts Internet Explorer credentials
all-pass Extracts all credentials
chk-priv Returns whether it is run as administrator or user
req-priv Run as administrator
rw-encrypt Appends “.crimson” extension to files on the system
rw-decrypt Removes “.crimson” extension from files on the system
show-msg Display a message with notepad.exe
In fact, the tricks with the extension and allegedly encrypting files are used solely to distract the user’s attention, because at the same time, in the background, the malware steals important files and transfers them to the operator.

As you see, STRRAT can record keystrokes, allows attackers to remotely run commands, and extract important information such as credentials from email clients and from browsers Firefox, Internet Explorer, Chrome.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.