.CRIMSON Ransomware Module Shipped With Java STRRAT to Steal Account Credentials

Recent malware news uncovered a malware strain called STRRAT that ships with the .CRIMSON ransomware module. STRRAT isn't the only malware making the news since security researchers also found a new threat that modifies the Discord client for Windows to steal account credentials and a new malware family that comes from a previously unknown threat actor.

What is STRRAT and the .CRIMSON Module?

G Data Solutions researchers noticed the STRRAT infection beginning with spam emails. The email arrived with the attachment 'NEW ORDER.jar.' When the attachment is opened, it reveals a dropped responsible for retrieving a VBScript, saved under the name 'bqhoonmpho.vbs.' The string leveraged PowerShell to replace characters. It also downloads Java Runtime Environment to infect machines on which Java wasn't installed.

Analysis of the .jar payload written by the VBScript to "%APPDATA%\ntfsmgr.jar shows a strpayload package. Method "F" in class strpayload.r was responsible for building the data stream about the infected system. The string turned out to be the STRRAT 1.2 malware threat after an analysis was performed. Following deobfuscation efforts, G Data Solutions researchers found STRRAT was made to steal credentials and passwords from email clients and browsers through keylogging. The malware also comes with a ransomware module appending files with the .CRIMSON extension. In an unexpected twist, victims can reportedly recover their data by simply removing the extension from affected file names.

How Users May Defend Against Emails with Malicious Payloads

Security for organizations and individual users can help defend themselves from malicious payloads by having better security awareness. Organizations can do that through awareness training to educate the employees about the dangers of email phishing. Training should include simulated phishing to test the employee familiarity with such messages and dissuade them from falling victim to such plots.
Information security personnel should boost that with technical measures, such as banners that flag emails from untrusted sources. That is especially important for any emails coming from blacklisted domains, so there can be no chance of any macros being executed from any email attachments.

Cybercriminals can use the STRRAT malware to steal credentials saved on web browsers and email clients. It means the threat actors can use this remote access Trojan to steal accounts and use them for fraudulent transactions, purchases, malware spam, and more. The keylogging function makes it especially dangerous, as the attackers can gather information such as email addresses, usernames, passwords, credit card data, and other sensitive information. RATs can be used to execute commands that allow attackers complete access to a computer, using it to install additional malware, ransomware, or cryptocurrency miners.