Microsoft Security discovered malicious PDFs that download Java-based StrRAT, which can steal credentials and change file names but doesn’t actually encrypt.

An email campaign is delivering a Java-based remote access trojan (RAT) that can not only steal credentials and take control of systems, but also presents as fake ransomware, Microsoft researchers have discovered.

The Microsoft Security Intelligence (MSI) team has outlined details of a “massive email campaign” delivering the StrRAT malware that they observed last week and reported in a series of tweets earlier this week.

StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and takes remote control of infected systems—all typical behaviors of RATs, MSI researchers described in documentation posted on GitHub about the malware. The RAT also has a module to download an additional payload onto the infected machine based on command-and-control (C2) server command, they said.

StrRAT also has a unique feature not common to this type of malware: “a ransomware encryption/decryption module” that changes file names in a way that would suggest encryption is the next step. However, StrRAT stops short of this function, “appending the file name extension .crimson to files without actually encrypting them,” researchers said in one of the tweets describing the attacks.

Attack Sequence

To launch the campaign, attackers used compromised email accounts to send several different emails. Some of the messages use the subject line “Outgoing Payments.” Others refer to a specific payment supposedly made by the “Accounts Payable Department,” which is how the emails are signed.

The campaign includes several different emails that all use social engineering around payment receipts to encourage people to click on an attached file that appears to be a PDF but that actually has malicious intent.

One email informs the recipient that it includes an “Outgoing Payment” with a specific number – presumably, the attached PDF. Another addresses the message to a “Supplier” and appears to let the receiver know that “your payment has been released as per attached payment advice,” asking the recipient to verify adjustments made in the attached PDF.

The attached file in all these cases, however, is not a PDF at all, but instead connects the system to a malicious domain to download the StrRAT malware, which then connects to a C2 server.

The version of the RAT that researchers observed was 1.5, which is “notably more obfuscated and modular than previous versions,” according to one of the tweets. However, it maintains the same backdoor functions as previous versions of StrRAT that researchers have observed. These include collecting browser passwords, running remote commands and PowerShell, and logging keystrokes, among others.

Mitigation

Microsoft 365 Defender can protect systems from StrRAT, while machine learning-based protections detect and block the malware on endpoints, alerting Microsoft Defender for Office 365 against malicious emails, researchers said.

They also published documents on GitHub with a series of advanced hunting queries so that defender software can locate indicators of malicious behaviors related to StrRAT and similar threats in the environment.

To detect defense evasion behavior, in which the malware attempts to discover the antivirus production solutions in place on the compromised device, the following query can be used:

DeviceProcessEvents
| where InitiatingProcessFileName in~("java.exe", "javaw.exe") and InitiatingProcessCommandLine has "roaming"
| where FileName == 'cmd.exe' and ProcessCommandLine has 'path antivirusproduct get displayname'

To look for emails containing domains known to be associated with delivering StrRAT malware, MSI recommended using the following query:

EmailUrlInfo
| where UrlDomain has_any ('metroscaffingltg.co.uk',
'pg-finacesolutions.co.uk',
'jpfletcherconsultancy.co.uk',
'buildersworlinc.co.uk',
'bentlyconstbuild.co.uk',
'alfredoscafeltd.co.uk',
'zincocorporation.co.uk',
'playerscircleinc.co.uk',
'tg-cranedinc.co.uk',
'adamridley.co.uk',
'westcoasttrustedtaxis.co.uk',
'sivospremiumclub.co.uk',
'gossyexperience.co.uk',
'jeffersonsandc.co.uk',
'fillinaresortsltd.co.uk',
'tk-consultancyltd.co.uk')

Finally, the following query looks for a scheduled task named “Skype,” which the StrRAT JAR file uses to create persistence on the targeted machine:
DeviceProcessEvents
| where InitiatingProcessFileName in~("java.exe","javaw.exe")
| where FileName == 'cmd.exe' and ProcessCommandLine has_all("schtasks /create", "tn Skype")

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!