The new STRRAT malware allegedly uses compromised emails to hack Windows devices. Here’s why Microsoft Security Intelligence claim it’s alarming.
The new Java-based STRRAT remote access trojan (RAT) is allegedly targeting Windows devices. Some experts and other security researchers claimed that this new malware uses compromised emails to do this malicious activity.
And now the Microsoft Security Intelligence team is currently warning the public about the new STRRAT malware. In a series of tweets, the giant security firm explained how serious the new malware really is.
Microsoft Security Intelligence said that “the latest version of the Java-based STRRAT malware (1.5) was seen being distributed in a massive email campaign last week. This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.”
Microsoft’s security experts and other researchers added that the “attackers used compromised email accounts to launch the email campaign. The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware.”
How the New Malware Works
Since the new STRRAT malware uses compromised emails, the hackers and other cyber attackers using it can easily fool the users since they are really using real accounts. Aside from this, Microsoft Security Intelligence explained that this new hacking method also pretends as ransomware to attack the unsuspecting victims while stealing their data in the background.
G DATA malware analyst Karsten Hahn said in June 2020 that the new STRRAT malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.
Hahn added that the new computer virus logs keystrokes in the users’ devices. This method allows its operators to run commands remotely and gather sensitive user data. This includes credentials from email clients and browsers such as Internet Explorer, Google Chrome, Foxmail, Outlook, Thunderbird, and Firefox.
On the other hand, security experts explained that this new computer virus enables hackers and other malicious actors to have remote access to the infected machine. They can do this by installing the open-source RDP Wrapper Library or RDPWrap.
After that, the computer virus will then activate Remote Desktop Host support on the compromised Windows systems. However, the thing that makes it stand out from other RATs is the ransomware module that doesn’t encrypt any of the victims’ files but will only append the “.crimson” extension to files.
Hanh added that “this might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.”
As Microsoft found while analyzing last week’s new massive computer virus campaign, the malware developers haven’t stopped improving it, adding more obfuscation and expanding its modular architecture. Nonetheless, the RAT’s main functionality remained mostly untouched, as it is still used to steal browser and email client credentials, running remote commands or PowerShell scripts, and logging victims’ keystrokes.