A Trojan Disguised as Ransomware

9029694273?profile=RESIZE_400xThe old trick of using a Trojan horse to deceive is still in vogue and using cyber as the lure.  A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords, and other information from victims.  Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts to distribute messages claiming to be related to payments, alongside an image posing as a PDF attachment that looks like it has information about the supposed transfer.  First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts.  According to a technical analysis by German security firm GDATA, the RAT has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.[1]

When the user opens this file, they are connected to a malicious domain that downloads STRRAT malware onto the machine.   The updated version of the malware is what researchers describe as "notably more obfuscated and modular than previous versions", but it retains the same backdoor functions, including the ability to collect passwords, log keystrokes, run remote commands and PowerShell, and more ultimately giving the attacker full control over the infected machine.

As part of the infection process, the malware adds a .crimson file name extension to files in an attempt to make the attack look like ransomware – although no files are actually encrypted.  This could be an attempt to distract the victim and hide the fact that the PC has actually been compromised with a remote access trojan a highly stealthy form of malware, as opposed to a much more overt ransomware attack.

It is likely that this spam campaign or similar phishing campaign is still active as cybercriminals continue attempts to distribute STRRAT malware to more victims.  Based on how the malware is able to gain access to usernames and passwords, it is possible that anyone whose system becomes infected could see their email account abused by attackers in an effort to further spread STRRAT with new phishing emails.

Since the malware campaign relies on phishing emails, there are steps that can be taken to avoid becoming a new victim of the attack. These include being wary of unexpected or unusual messages, particularly those that appear to offer a financial incentive as well as taking caution when it comes to opening emails and attachments being delivered from strange or unknown email addresses.

Using antivirus software to detect and identify threats can also help prevent malicious emails from landing in inboxes in the first place, removing the risk of someone opening the message and clicking the malicious link.

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice,  however, external threats are often overlooked and can represent an early warning of impending attacks. 

Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include botnet activity, public data breaches, phishing, fraud, and general targeting.  Red Sky Alliance is in New Boston, NH   USA. We are a Cyber Threat Analysis and   Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

Interested in a RedXray subscription to see what we can do for you?  Sign up here: https://www.wapacklabs.com/RedXray   

[1] https://www.zdnet.com/article/this-massive-phishing-campaign-delivers-password-stealing-malware-disguised-as-ransomware/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!