Security News > 2021 > May > Email Campaign Spreads StrRAT Fake-Ransomware RAT

An email campaign is delivering a Java-based remote access trojan that can not only steal credentials and take control of systems, but also presents as fake ransomware, Microsoft researchers have discovered.

The Microsoft Security Intelligence team has outlined details of a "Massive email campaign" delivering the StrRAT malware that they observed last week and reported in a series of tweets earlier this week.

StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and takes remote control of infected systems-all typical behaviors of RATs, MSI researchers described in documentation posted on GitHub about the malware.

StrRAT also has a unique feature not common to this type of malware: "a ransomware encryption/decryption module" that changes file names in a way that would suggest encryption is the next step.

One email informs the recipient that it includes an "Outgoing Payment" with a specific number - presumably, the attached PDF. Another addresses the message to a "Supplier" and appears to let the receiver know that "Your payment has been released as per attached payment advice," asking the recipient to verify adjustments made in the attached PDF. The attached file in all these cases is not a PDF at all, but instead connects the system to a malicious domain to download the StrRAT malware, which then connects to a C2 server.

Finally, the following query looks for a scheduled task named "Skype," which the StrRAT JAR file uses to create persistence on the targeted machine:DeviceProcessEvents| where InitiatingProcessFileName in~("Java.exe","Javaw.exe")| where FileName == 'cmd.

News URL

https://threatpost.com/email-campaign-fake-ransomware-rat/166378/