The STRRAT threat is a RAT (Remote Access Trojan), which is written in the Java programming language. This threat only targets users who have installed a JRE (Java Runtime Environment) on their system. If there is no JRE installed on the targeted computer, the STRRAT threat will not be able to operate and will, effectively, be useless.
The STRRAT malware appears to be propagated with the help of specially crafted phishing emails. The emails contain a malicious attachment, which carries the payload of the STRRAT malware. Most cybercriminals would attempt to disguise the attached file as a harmless document or spreadsheet. However, this is not the case with the STRRAT threat. The attachment is a plain JAR file, which may raise the suspicion of some users. If the targeted user fails to notice the suspicious filetype and opens the file regardless, they will deploy the STRRAT malware on their system. Once the STRRAT threat is successfully installed on the breached system, it will gain persistence by tampering with the Windows Registry.
The STRRAT threat can operate as an infostealer, which is very feature-rich. Once the STRRAT malware is running on the compromised host, it will be able to obtain information from:
- Web browsers – this threat targets saved login credentials.
- Email clients – the threat would steal the contacts list and other files from the app.
- File Transfer Protocol (FTP) – saved login credentials and configurations.
The STRRAT malware is also able to deploy a keylogging module, which is used to collect the keystrokes of the victim in order to obtain additional sensitive information. The STRRAT threat can also use additional modules, which serve various purposes. One of them can enable the threat to encrypt the user’s data. Another module is the legitimate tool called RDPWrap - its purpose is to open a Remote Desktop Protocol connection between two computers, but the authors of the RAT are clearly abusing it for nefarious reasons. Additionally, the STRRAT threat can use it to steal various files, execute remote PowerShell commands, run CMD commands, download and execute various files, restart the host, list the directories, and others.
Since the STRRAT malware is able to encrypt data on the compromised host, it is clear that its operators may use it as a file-locker, which will allow them to extort the victims for money. The STRRAT threat is able to lock a long list of filetypes. The encrypted files will have a ‘.crimson’ extension added to their names. For example, a file called ‘beige-coat.jpg’ will be renamed to ‘beige-coat.jpg.crimson.’ The authors of the STRRAT malware may be crafting a unique ransom message for each targeted user as there is no pre-made note.
The STRRAT malware is a high-end threat, which is very feature-rich. Make sure your system is protected against threats like the STRRAT malware by installing a modern, up-to-date anti-virus software suite.