In 2020, a Java-based Remote Access Trojan (RAT) known as “STRRAT” gained attention for its ability to perform keylogging and credential theft from browsers and email clients. Since its discovery, the malware has undergone significant updates and now incorporates a new ransomware module called “Crimson” and utilizes multiple infection chains.
Cybersecurity researchers at Cyble Research And Intelligence Labs (CRIL) have recently identified a new technique used to distribute the updated version of STRRAT (version 1.6). This technique involves two string obfuscation methods. The infection chain begins with a spam email that pretends to be from an electronic company. The email includes a PDF invoice attachment that is sent to the target.
When the recipient opens the attached PDF, they see a download image that prompts them to click on it. Clicking on the image initiates the download of a ZIP file named “Invo-0728403.zip” from a specific URL. The ZIP file contains an encrypted STRRAT payload in JavaScript. Upon execution, the JavaScript decrypts the payload and places it in a specific directory.
Upon further analysis, it is discovered that the payload is disguised as a JAR (Java Archive) file. The JAR file extracts a folder named “carLambo” along with META-INF, which includes classes, resources, and a MANIFEST.MF file. These files ensure that the payload is, in fact, the STRRAT malware.
The researchers also found that the latest variant of STRRAT malware utilizes class name modifications and incorporates two string obfuscators, Allatori and ZKM, whereas the previous version only used Allatori.
Since March 2023, STRRAT malware (version 1.6) has been actively distributed through various infection chains, and more than 70 samples have been detected in the wild. To ensure persistence, the malware sets a “Skype” task scheduler entry, and it stores C&C (Command and Control) server information in an encrypted Base64-encoded config.txt file using AES encryption, similar to previous versions.
The targeted browsers include Chrome, Firefox, and Internet Explorer, while the targeted email clients include Outlook, Thunderbird, and Foxmail.
To protect against STRRAT malware and similar threats, security analysts recommend using strong email filter solutions, verifying links and attachments before opening them, employing robust endpoint security solutions, keeping security tools updated with the latest patches and updates, implementing URL filtering to block malicious sites, and conducting regular cybersecurity training for employees.
In conclusion, the updated version of STRRAT malware (version 1.6) has gained attention for its incorporation of a ransomware module and utilization of multiple infection chains. The malware uses a sophisticated distribution technique and employs various obfuscation methods. Implementing robust security measures and practicing cautious online behavior can help mitigate the risk associated with this malware and similar threats.