StrRAT Fake Ransomware RAT Proliferates Via Email

StrRAT has been discovered by Microsoft Security, embedded within malicious PDFs which download the Java-based Malware. StrRAT can steal credentials and change file names, though in reality, it doesn’t encrypt these files. Due to StrRAT being a Remote-Access-Trojan(RAT), it has the capabilities to take control of a system. What makes the strain unusual is its habit of presenting itself as Ransomware, when it has no such ability. The Microsoft Security Intelligence (MSI) team has outlined details of a “massive email campaign” delivering the StrRAT malware that they observed last week and reported in a series of tweets earlier this week.

“StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and takes remote control of infected systems—all typical behaviors of RATs” MSI researchers described in documentation posted on GitHub about the malware. The RAT also has a module to download an additional payload onto the infected machine based on command-and-control (C2) server command, they said.

StrRAT’s unique feature is that it boasts a “ransomware encryption/decryption module” that changes filenames in a way that would suggest that encryption is the next step. StrRAT appends the file name extension .crimson, but it does not actually encrypt the files.

To launch the campaign, attackers used compromised email accounts to send several different emails. Some of the messages use the subject line “Outgoing Payments.” Others refer to a specific payment supposedly made by the “Accounts Payable Department,” which is how the emails are signed.

The campaign includes several different emails that all use social engineering around payment receipts to encourage people to click on an attached file that appears to be a PDF but that actually has malicious intent.

One email informs the recipient that it includes an “Outgoing Payment” with a specific number – presumably, the attached PDF. Another addresses the message to a “Supplier” and appears to let the receiver know that “your payment has been released as per attached payment advice,” asking the recipient to verify adjustments made in the attached PDF.

In all of these cases, the attached file is not a PDF but instead connects to a malicious domain to download StrRAT. It then connects to the C2 server.

The version of the RAT that researchers observed was 1.5, which is “notably more obfuscated and modular than previous versions,” according to one of the tweets. However, it maintains the same backdoor functions as previous versions of StrRAT that researchers have observed. These include collecting browser passwords, running remote commands and PowerShell, and logging keystrokes, among others.

StrRAT Analysis

Note: The analysis for StrRAT has been carried out by Gdata Software.

The infection starts with a rather ordinary spam email that has a malicious attachment named NEW ORDER.jar.

The Email shows a relationship to the Jar file. It is not clear if the uploader of the email redacted the email body or if the threat actors didn’t want to take their time to add any content. It should be noted that Outlook prevents access to email attachments with .jar extension. In this case, researchers applied a registry change to display it.

The NEW ORDER.jar is a simple dropper. It retrieves a VBScriptfrom the resources, saves the script as bqhoonmpho.vbs to the home directory of the user and executes it using wscript.exe.

The VBScript has a large string in it and uses PowerShell to replace characters in this string. The resulting base64 string is subsequently decoded and executed by PowerShell.

The unpacked layer is again a VBScript. This script will copy the packed version of itself to %APPDATA%\edeKbMYRtr.vbs. It will also download a Java Runtime Environment and add it to the registry. That way it may be prepared to infect systems that don’t have Java installed. It even has a built-in check that runs javaw.exe with the -version parameter to verify that the JRE has the version 1.6, 1.7 or 1.8.

The email attachment already requires a Java Runtime Environment (JRE) on the system, which means the current infection chain misses the opportunity to work regardless of the JRE installation. If this VBScript is ever shipped with a different initial infection step, it may enable the RAT to work on more systems.

The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

STRRAT also allows installation of RDPWrap. The file is downloaded from hxxp://wshsoft.company/multrdp(.)jpg. RDWrap is an open source tool that enables Remote Desktop Host support on Windows.

There is also a ransomware module.

The commands used for the ransomware component are rw-encrypt for “encrypting” files, rw-decrypt for “decrypting” files and show-msg for displaying the ransom note.

Ransomware “encrytion” and “decryption” methods are in the class strpayload.l.

However, the so called “encryption” only renames files by appending the .crimson extension. This might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.

There is no ransom note template in the client of the RAT. The attacker can display anything they like with the show-msg command. It is possible that the server provides ransom note templates.