Jump to content
  • Microsoft: Massive malware campaign delivers fake ransomware


    mood

    • 807 views
    • 3 minutes
     Share


    • 807 views
    • 3 minutes

    Microsoft: Massive malware campaign delivers fake ransomware

     

    A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.

     

    In a series of tweets, the Microsoft Security Intelligence team outlined how this "massive email campaign" spread the fake ransomware payloads using compromised email accounts.

     

    The spam emails lured the recipients into opening what looked like PDF attachments but instead were images that downloaded the RAT malware when clicked.

    "The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware," Microsoft said.

    "This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them."

     

    STRRAT-spam-email.png

    Image: Microsoft

     

    As the Microsoft Security Intelligence team mentioned in their tweets, the STRRAT malware is designed to fake a ransomware attack while stealing its victims' data in the background.

    G DATA malware analyst Karsten Hahn said in June 2020 that the malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.

     

    STRRAT logs keystrokes, allows its operators to run commands remotely and harvests sensitive information including credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

     

    It also provides attackers with remote access to the infected machine by installing the open-source RDP Wrapper Library (RDPWrap), enabling Remote Desktop Host support on compromised Windows systems.

     

    STRRAT-infection-chain.png

    STRRAT infection chain (G DATA)

     

    However, the thing that makes it stand out from other RATs is the ransomware module that doesn't encrypt any of the victims' files but will only append the ".crimson" extension to files.

     

    While this doesn't block access to the files' contents, some victims might still get fooled and, potentially, give in to attackers' ransom demands.

    "This might still work for extortion because such files cannot be opened anymore by double-clicking," Hahn said.

    "Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual."

     

    As Microsoft found while analyzing last week's massive STRRAT campaign, the malware developers haven't stopped improving it, adding more obfuscation and expanding its modular architecture.

     

    Nonetheless, the RAT's main functionality remained mostly untouched, as it is still used to steal browser and email client credentials, running remote commands or PowerShell scripts, and logging victims' keystrokes.

     

     

    Source: Microsoft: Massive malware campaign delivers fake ransomware


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...