Skip to main content

Microsoft has discovered an email campaign delivering Java-based access Trojans that can steal individual or organizational credentials and take over the control of systems. Microsoft Security intelligence team warned of an ongoing “StrRAT malware campaign” via the Twitter platform concerning attackers or hackers who used the 1.5 Java-based strRAT malware version. The hackers used the version to obtain confidential information from various browsing platforms and email users whose systems were infected by the malware. The security team reports that the malware starts with spam emails sent from compromised email accounts presented as a portable document format (pdf) attachment. Still, once the pdf is opened, it links to a malicious domain to download the StrRAT malware. Microsoft has developed 365 Defender to fight against this malware threat.

What Do We Know About StrRAT Malware?

StrRAT was first discovered in June 2020 by G Data, a German cybersecurity firm. G Data discovered windows malware in phishing emails containing malicious attachments. StrRAT malware has recently gained popularity through Microsoft tweets since May 2021. The main intention behind strRAT malware is to steal mail recipients and browsers’ credentials such as passwords, log keystrokes, execute remote commands, and PowerShell scripts. This malware uses a command-and-control (C2) server command to download additional payload onto the infected machine. StrRAT has an exceptional feature, which is not common to this specific type of malware,” ransomware encryption or decryption module”. The feature enhances the malware to modify file names to suggest encryption as the preceding step. However, the so-called encryption only renames files by appending the ‘.crimson’ extension to each files. The files can be opened as usual If the extension is removed. The malware authors are attackers who use spam mails with enticing subjects such as outgoing payments, new order, and confirmation of payments to lure the recipients into opening malicious Portable Document Format that claims to be payments. Still, in reality, they connect to a rogue domain to download the strRAT malware. The malware permits the installation of RDPWrap, an open source tool that enhance remote desktop Host support on windows. 

Who is The Primary Target of StrRAT Malware Campaign?

The main StrRAT malware campaign targets are all global email and browser users. This malware targets browsers such as; Firefox, Chrome, Thunderbird, Outlook, Fox mail, and Internet Explorer. Additionally, the Remote Access Trojans has seen targeting governmental, financial, and corporate institutions to access hard drives and download classified and illegal information. From regional perspectives, German customers are among the malware’s primary targets. 

How the StrRAT Malware Campaign Is Designed to Deliver the Malware?

The following section discusses how the StrRAT malware campaign is designed to deliver the malware to the target browsers and mail recipients.

#1. Spam Mail With Malicious Jar Attachments

The infection commences with a rather ordinary spam email containing malicious attachments known as a New Order jar, which entails wording like payment order, outgoing payments, new order, and confirmation of the order, among other luring email subjects. The New other mails use the subject refer to particular payment supposedly made by the accounts payable departments, a tactic through which mails are signed. Order jar is a simple dropper, which retrieves a VBScript from the resources, saves the script as bqhoonmpho.vbs to the user’s home directory, and executes it using wscript.exe.

#2. VBScript Downloads and Installs the Java for the RAT.

The VBScript has a large string in it and utilizes PowerShell to replace characters within the string. The replaced characters in the large string result in a base64 string, which is consequently decoded and implemented by PowerShell. The combined string is a VBScript that copies the packed version, downloads a Java Runtime Environment, and adds it to the registry. Through the above steps, the unpacked VBScript is ready to infect systems that have not installed JAVA. The unpacked VBScript has a built-in check, an additional feature that runs javaw.exe, verifying Java Runtime Environment has either 1.6 to 1.8 versions. The email attachment requires a JRE, which implies that the present infection chain misses the opening to function irrespective of the JRE system installation.  

#3. Initial Payload Analysis

The step entails various URLs which are observed when the jar file is obfuscated. In this step Java (low level) system hooks offer a very lightweight global keyboard and mouse listener for Java, which help estimate the malware’s potential to use log keystrokes.

StrRAT Malware Indicators of Compromise (IOCs)

Indicators of Compromise are pieces of forensic information, such as system files, system log entries, or network traffic that recognize potentially malevolent activities on a network or system. Information security professionals and digital forensic analysts use IOCs to detect malware infections, data breaches, and other security incidents. By monitoring IoCS, security teams can identify cyber-attacks and respond quickly to limit the security breach damages and prevent security breaches. Essentially, IOCs acts as red flags that aid the cybersecurity team to detect suspicious activities swiftly. 

Indicators of Compromise in StrRAT malware campaign include; Spam email, Java-based VBS dropper, VBScript based JAR dropper, Java Remote Access Trojans, and RDPWrap Spam email or phishing email is the ultimate start of the StrRAT malware campaign. Innocently enough, the end-users receive an email with portable documentation that appears legitimate, but a user often opts to open the attachment. JAVA Remote Access Trojans are programs that permit attackers to gain authorized access to a targeted computer without the victim’s consent. Trojan droppers silently install malicious web browser extensions that inject luring content into the victim’s Facebook platform page and spams the friend’s list with enticing messages containing malicious attachments to further its spread. The attached files may contain words like “watch this!!!” or other enticing phrases. If the recipient clicks and opens the attached files, it silently creates a folder on the recipient’s computer, into which it drops a zipped file involving three elements; BAT file, JAR file, and a Java installer. 

See Also 6 AI Technologies That Helps You Boost Your Productivity

Also check for: Microsoft-365-Defender-Hunting-Queries

[1] Spam email1124150.emle6b0a56662d1f0544257c63e63b2f85ad7215f0df3a7f5a689dee66f27e24db7
[2] Java based VBS dropperNEW ORDER.jar0f0e25e859bc6f21447ed196d557eb6cdba9737dd3de22a5183a505da0126302
[3] VBScript based JAR dropperbqhoonmpho.vbs
[4] Java RATntfsmgr.jar7c24d99685623b604aa4b2686e9c1b843a4243eb1b0b7b096d73bcae3d8d5a79
[5] RDPWrapmultrdp.jpgac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

How to Prevent the New StrRAT Malware Campaign?

We will list down some of the measures which you can take to counter the

  1. Search for IOAs (Indicator of Attack): IOAs include signs such as code execution, lateral movements, and behavioral actions. IOAs don’t tell how the attack is being carried out. Instead, it talks about the signs of in-progress attacks.
  2. Keep the systems up to date: Never miss applying the new upgrades or patches.
  3. Remove unwanted services: Disable unwanted ports, enforce to use of only secure network protocols, remove unused applications from the system.
  4. Fix latest vulnerabilities: Run the periodic VA scan and fix all vulnerabilities, especially remote execution vulnerabilities.
  5. Harden the system: Close all the configuration gaps and make the system more secure.
  6. Defense-in-Depth strategy: Don’t trust a single product. Deploy multiple layers of defense and use multiple different products for the defense.
  7. Cybersecurity training & awareness: Host training programs and create awareness about the vectors of cybersecurity.

Leave a Reply