Microsoft warns of a “massive email campaign” that uses a Java-based STRRAT malware to steal confidential data from infected systems while disguising itself as a ransomware infection.
The Microsoft Security Intelligence team stated that the RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.
The new wave of attacks which was found by the company last week, commences with spam emails sent from compromised email accounts having the subject line “Outgoing Payments” tricking the recipients into opening malicious PDF documents that claim to be remittances, but in reality, connect to a rogue domain to download the STRRAT malware.
Besides establishing connections to a command-and-control server during execution, the malware comes with several features that allow it to collect browser passwords, log keystrokes, and run remote commands and PowerShell scripts.
STRRAT first emerged in June 2020, with German cybersecurity firm G Data observing the Windows malware (version 1.2) in phishing emails containing malicious Jar (or Java Archive) attachments.
G Data malware analyst Karsten Hahn stated that the RAT focuses on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.
However, its ransomware capabilities are basic in that the “encryption” stage only renames files by suffixing the “.crimson” extension. If the extension is removed, the files can be opened as usual.
Microsoft also notes that version 1.5 is more obfuscated and modular than previous versions, suggesting that the attackers behind the operation are actively working to improvise their toolset.