The Microsoft Security Intelligence team has warned of a massive malware campaign that is spreading the Java-based remote access trojan (RAT) that has data theft capabilities and is known for its ransomware-like behavior.
Called STRRAT, the malware appends the file name extension .crimson to files without actually encrypting them. The RAT is delivered via emails sent from compromised email accounts. The message contains an image that poses as a PDF attachment, but, in reality, downloads the STRRAT malware.
This particular campaign delivers the STRRAT v1.5, which is more obfuscated and modular than previous versions, although its backdoor capabilities mostly remain the same. The malware is able to collect browser passwords, run remote commands and PowerShell, as well as log keystrokes.
The STRRAT malware was first spotted in June 2020. According to G Data’s Karsten Hahn, the RAT infects Windows devices via email campaigns delivering malicious JAR (Java ARchive) packages that deliver the final RAT payload after going through two stages of VBScript scripts.
The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.
But one of the most interesting functions is the trojan’s ransomware module, which-instead of encrypting files only renames them by appending the .crimson extension.
“This might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual,” Kahn noted in his report last year.