Microsoft warns of malware campaign spreading a RAT masquerading as ransomware

The Microsoft security team has published details on Wednesday about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack.

According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments.

"Attackers used compromised email accounts to launch the email campaign," Microsoft said in a series of tweets last night. "The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware."

The latest version of the Java-based STRRAT malware (1.5) was seen being distributed in a massive email campaign last week. This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them. pic.twitter.com/mGow2sJupN

— Microsoft Threat Intelligence (@MsftSecIntel) May 19, 2021

What is STRRAT?

First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts.

According to a technical analysis by German security firm G DATA, the RAT has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.

G DATA malware analyst Karsten Hahn said STRRAT could dump and steal credentials from the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

STRRAT can also run custom shell or PowerShell commands received from an attacker's server. This allows the attacker to take full control over an infected host any time they wish.

If the attacker doesn't want to interact with the infected host through an intermediary server, they also have the option to use STRRAT to install RDWrap, an open-source tool that lets the attacker connect to the host via Remote Desktop Protocol (RDP) sessions.

The fake ransomware routine

But the feature that stands apart from most other RAT strains is STRRAT's so-called encryption routine.

"However, the so called 'encryption' only renames files by appending the .crimson extension," Hahn said last year.

"This might still work for extortion because such files cannot be opened anymore by double-clicking," he said. "If the extension is removed, the files can be opened as usual."

But while Hahn analyzed STRRAT v1.2, Microsoft said yesterday that this fake encryption behavior is still present in STRRAT v1.5, which the company saw being distributed in the wild last week.

Users or companies that find their files encrypted using the .crimson extension are recommended to remove the extension. This should be done on a test file first, as other (genuine) ransomware strains may also be using this extension. If the files can be opened after removing the .crimson extension, then the computer was most likely infected with the STRRAT, and the infection will need to be addressed by a security professional.