Microsoft warns of malware campaign spreading a RAT masquerading as ransomware
Catalin Cimpanu May 20, 2021

Microsoft warns of malware campaign spreading a RAT masquerading as ransomware

Microsoft warns of malware campaign spreading a RAT masquerading as ransomware

The Microsoft security team has published details on Wednesday about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack.

According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments.

“Attackers used compromised email accounts to launch the email campaign,” Microsoft said in a series of tweets last night. “The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware.”

What is STRRAT?

First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts.

According to a technical analysis by German security firm G DATA, the RAT has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.

G DATA malware analyst Karsten Hahn said STRRAT could dump and steal credentials from the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

STRRAT can also run custom shell or PowerShell commands received from an attacker’s server. This allows the attacker to take full control over an infected host any time they wish.

If the attacker doesn’t want to interact with the infected host through an intermediary server, they also have the option to use STRRAT to install RDWrap, an open-source tool that lets the attacker connect to the host via Remote Desktop Protocol (RDP) sessions.

The fake ransomware routine

But the feature that stands apart from most other RAT strains is STRRAT’s so-called encryption routine.

“However, the so called ‘encryption’ only renames files by appending the .crimson extension,” Hahn said last year.

This might still work for extortion because such files cannot be opened anymore by double-clicking,” he said. “If the extension is removed, the files can be opened as usual.”

But while Hahn analyzed STRRAT v1.2, Microsoft said yesterday that this fake encryption behavior is still present in STRRAT v1.5, which the company saw being distributed in the wild last week.

Users or companies that find their files encrypted using the .crimson extension are recommended to remove the extension. This should be done on a test file first, as other (genuine) ransomware strains may also be using this extension. If the files can be opened after removing the .crimson extension, then the computer was most likely infected with the STRRAT, and the infection will need to be addressed by a security professional.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.