Hackers behind the notorious malware known as STRRAT have recently adopted a new technique to distribute their latest version, 1.6. This development has posed a significant challenge for cybersecurity researchers and professionals who are working tirelessly to combat the growing threat of cybercrime.
According to a report by Cyble Research And Intelligence Labs (CRIL), the new infection technique begins with a spam email that includes a malicious PDF file as an attachment. The threat actors behind STRRAT have invested considerable time and resources into enhancing the malware, constantly developing new tactics and features to evade detection and remain undetected in victim systems.
Version 1.6 of STRRAT goes beyond its predecessors by incorporating two string obfuscation techniques. These techniques involve manipulating strings of code to make it difficult for security researchers to analyze and detect the malware. By leveraging these obfuscation techniques, the hackers behind STRRAT not only make it challenging for researchers to understand the malware’s full capabilities but also make it harder for users to detect it on their systems.
The novel infection technique used by STRRAT involves a spam email campaign that tricks recipients into believing that it is coming from a legitimate company. Within the email, an attached PDF file is disguised as an invoice. When the recipient opens the PDF attachment, a download image triggers the download of a zip file from a suspicious URL. Inside the downloaded file, a JavaScript file containing the encrypted payload of STRRAT is found. Once executed, the JavaScript decrypts the payload and drops a disguised zip file named “lypbtrtr.txt” into a specific directory on the victim’s computer.
To ensure persistence in the victim’s system, STRRAT creates a task scheduler entry using “Skype.” This persistence mechanism ensures that the malware remains active even after the system reboots. Moreover, the updated version of STRRAT retains its ability to target popular internet browsers like Chrome, Firefox, and Internet Explorer. Additionally, it can also target multiple email clients, including Outlook, Thunderbird, and Foxmail. The primary purpose of STRRAT is to steal sensitive information through activities like keylogging and credential pilfering from web browsers and email clients.
The discovery of over 70 samples of STRRAT version 1.6 in the wild indicates an active and ongoing campaign by threat actors. This continuous evolution of STRRAT, particularly with the introduction of version 1.6, highlights the resolve of these threat actors to refine their tactics and evade detection. The integration of dual obfuscation methods makes it even more challenging for cybersecurity experts to dissect the malware’s code and fully understand its capabilities.
In conclusion, the recent developments in the STRRAT malware highlight the constant threat posed by cybercriminals. Hackers are continuously adapting and evolving their techniques to stay one step ahead of cybersecurity professionals. It is crucial for individuals and organizations to remain vigilant and take proactive measures to protect themselves against such threats.