[MART] - Daily Diary #436 - STRRAT Delivered Via A New Phishing Campaign

CTAS-MAT ctas-mat at appgate.com
Fri Jan 21 21:50:10 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

01/21/2022 - Diary entry #436:

A new phishing campaign was observed this week impersonating Maersk, a worldwide conglomerate in the shipping industry, delivering a Java-based RAT (Remote Access Trojan) known as STRRAT, targeting Windows users.

STRRAT is a multi-capability Remote Access Trojan, that first appeared in 2020, and has the ability to steal browser credentials, log keystrokes, take remote control of infected systems, and deploy additional payloads onto the compromised machine. It also has a module that executes a fake ransomware behavior, appending the file name extension ".crimson" to files without actually encrypting them. The remote control module works by dropping a remote access tool named HRDP.

Older STRRAT campaigns delivered the final payload using malicious Office documents containing macro codes. In this new campaign, STRRAT's final payload is directly attached to the emails. Its final payload code is obfuscated by a Java obfuscator tool named Allatori which can be easily deobfuscated using open-source Java deobfuscators.

STRRAT has its configurations encrypted using AES. Curiously, among its strings, we can find "khonsari", which is a ransomware variant that emerged after Log4J vulnerabilities had been disclosed. However, there is no evidence that they are related.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220121/80a06571/attachment.htm>

More information about the MART mailing list