On Thursday, Microsoft issued a significant warning regarding an extensive email campaign distributing the Java-based STRRAT malware, which disguises itself as ransomware while stealing sensitive information from compromised systems.
According to the Microsoft Security Intelligence team, this Remote Access Trojan (RAT) is notorious for mimicking ransomware by adding the file extension .crimson to files, although it does not encrypt them. This tactic has raised concerns about the evolving strategies used by cybercriminals.
The recently identified attack vector, detected by Microsoft last week, begins with spam emails sent from compromised accounts, featuring the subject line “Outgoing Payments.” These deceptive messages entice recipients to open malicious PDF documents that claim to contain financial remittance details. In reality, these documents connect to malicious domains, triggering the download of the STRRAT malware.
Once executed, STRRAT establishes connections to a command-and-control server and possesses a suite of features enabling it to capture browser passwords, log keystrokes, and execute remote commands, including PowerShell scripts.
The STRRAT malware first emerged in June 2020, with German cybersecurity firm G Data identifying it in phishing campaigns that distributed malicious Java Archive (JAR) files. G Data’s malware analyst Karsten Hahn explained that the RAT targets credentials from various browsers and email clients, employing keylogging techniques to capture sensitive information.
While the malware’s ransomware capabilities may appear threatening, they remain basic, as the only action taken during the “encryption” phase is the renaming of files with the .crimson suffix. Hahn noted that files can be accessed normally by simply removing this extension.
Microsoft has also reported that version 1.5 of STRRAT demonstrates enhanced obfuscation and modularity compared to earlier versions. This evolution suggests that the attackers are adapting their methods, yet the unchanged nature of the bogus encryption indicates a potential focus on quick extortion from unsuspecting victims.
For those concerned about their cybersecurity posture, indicators of compromise (IoCs) related to this campaign can be accessed on GitHub, providing valuable insights for defensive measures against such threats.
