Microsoft Security discovered malicious PDFs that download Java-based StrRAT, which can steal credentials & change file names but does not actually encrypt.
An email campaign is delivering a Java-based remote access trojan (RAT) that can not only steal credentials & take control of systems, but also presents as fake ransomware, Microsoft researchers have discovered.
The Microsoft Security Intelligence (MSI) team has outlined details of a “massive email campaign” delivering the StrRAT malware that they observed last week & reported in a series of tweets earlier this week.
StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes & takes remote control of infected systems—all typical behaviours of RATs, MSI researchers described in documentation posted on GitHub about the malware. The RAT also has a module to download an additional payload onto the infected machine based on command-&-control (C2) server command, they commented.
StrRAT also has a unique feature not common to this type of malware: “a ransomware encryption/decryption module” that changes file names in a way that would suggest encryption is the next step. However, StrRAT stops short of this function, “appending the file name extension .crimson to files without actually encrypting them,” researchers commented in one of the tweets describing the attacks.
To start the campaign, attackers used compromised email accounts to send several different emails. Some of the messages use the subject line “Outgoing Payments.” Others refer to a specific payment supposedly made by the “Accounts Payable Department,” which is how the emails are signed.
The campaign includes several different emails that all use social engineering around payment receipts to encourage people to click on an attached file that appears to be a PDF, but that actually has malicious intent.
One email informs the recipient that it includes an “Outgoing Payment” with a specific number – presumably, the attached PDF. Another addresses the message to a “Supplier” & appears to let the receiver know that “your payment has been released as per attached payment advice,” asking the recipient to verify adjustments made in the attached PDF.
The attached file in all these cases, however, is not a PDF at all, but instead connects the system to a malicious domain to download the StrRAT malware, which then connects to a C2 server.
The version of the RAT that researchers observed was 1.5, which is “notably more obfuscated & modular than previous versions,” according to one of the tweets. However, it maintains the same backdoor functions as previous versions of StrRAT that researchers have observed. These include collecting browser passwords, running remote commands & PowerShell, and logging keystrokes, among others.
Microsoft 365 Defender can protect systems from StrRAT, while machine learning-based protections detect & block the malware on endpoints, alerting Microsoft Defender for Office 365 against malicious emails, researchers observed.
They also published documents on GitHub with a series of advanced hunting queries so that defender software can locate indicators of malicious behaviours related to StrRAT & similar threats in the environment.
To detect defence evasion behaviour, in which the malware attempts to discover the antivirus production solutions in place on the compromised device, the following query can be used:
| where InitiatingProcessFileName in~(“java.exe”, “javaw.exe”) andInitiatingProcessCommandLine has “roaming”
| where FileName == ‘cmd.exe’ and ProcessCommandLine has ‘path antivirusproduct get displayname’
To look for emails containing domains known to be associated with delivering StrRAT malware, MSI recommended using the following query:
| where UrlDomain has_any (‘metroscaffingltg.co.uk’,
Finally, the following query looks for a scheduled task named “Skype,” which the StrRAT JAR file uses to create persistence on the targeted machine:
| where InitiatingProcessFileName in~(“java.exe”,”javaw.exe”)
| where FileName == ‘cmd.exe’ and ProcessCommandLine has_all(“schtasks /create”, “tn Skype”)