Friday, May 21, 2021

Microsoft: Massive malware campaign delivers fake ransomware

By Sergiu Gatlan
May 20, 2021
(bleepingcomputer.com)



A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.

In a series of tweets, the Microsoft Security Intelligence team outlined how this "massive email campaign" spread the fake ransomware payloads using compromised email accounts.

The spam emails lured the recipients into opening what looked like PDF attachments but instead were images that downloaded the RAT malware when clicked.


"The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware," Microsoft said.

"This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them."
Image: Microsoft

As the Microsoft Security Intelligence team mentioned in their tweets, the STRRAT malware is designed to fake a ransomware attack while stealing its victims' data in the background.

G DATA malware analyst Karsten Hahn said in June 2020 that the malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.

STRRAT logs keystrokes, allows its operators to run commands remotely and harvests sensitive information including credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

It also provides attackers with remote access to the infected machine by installing the open-source RDP Wrapper Library (RDPWrap), enabling Remote Desktop Host support on compromised Windows systems.
STRRAT infection chain (G DATA)

However, the thing that makes it stand out from other RATs is the ransomware module that doesn't encrypt any of the victims' files but will only append the ".crimson" extension to files.

While this doesn't block access to the files' contents, some victims might still get fooled and, potentially, give in to attackers' ransom demands.


"This might still work for extortion because such files cannot be opened anymore by double-clicking," Hahn said.

"Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual."

As Microsoft found while analyzing last week's massive STRRAT campaign, the malware developers haven't stopped improving it, adding more obfuscation and expanding its modular architecture.

Nonetheless, the RAT's main functionality remained mostly untouched, as it is still used to steal browser and email client credentials, running remote commands or PowerShell scripts, and logging victims' keystrokes.

Related Articles:

Malware hidden in game cheats and mods used to target gamers

New Android malware spies on you while posing as a System Update

FBI spots spear-phishing posing as Truist Bank bank to deliver malware

Microsoft build tool abused to deliver password-stealing malware

Microsoft: Threat actors target aviation orgs with new malware


SERGIU GATLAN Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple, Google, and a few other topics at Softpedia for more than a decade. Email or Twitter DMs for tips.

No comments: