STRRAT Remote Access Trojan

First observed in June 2020, STRRAT is a remote access trojan (RAT), written in Java, with a wide range of malicious functionality. It is delivered via spam emails, acting as a backdoor on a compromised host from where it can run shell commands, steal credentials and tamper with local files. It is unusual in that it performs a fake encryption routine, appending file extensions but not encrypting the file itself, in attempt to imitate a ransomware attack.

STRRAT is deployed through spam campaigns, launched via compromised email accounts. In recent campaigns, the emails contain an image disguised as a PDF attachment, that once opened, connects to a malicious domain from where STRRAT payload is downloaded. In other attacks, STRRAT has been delivered via an email containing a malicious JAR attachment. The attachment is a dropper which uses a VBA script to download a Java Runtime Environment before extracting and running the STRRAT payload.

Once executed, STRRAT connects to a command and control (C2) server from where it can run custom shell and PowerShell commands. It can also download and install RDWrap tool, enabling an attacker to connect to the compromised host through Remote Desktop Protocol (RDP). This functionality allows an attacker to run a range of commands and take control of the host system.

STRRAT attempts to extract credentials from the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird. It also harvests passwords via keylogging, utilising a global keyboard and mouse listener for Java.

STRRAT has a ransomware encryption/decryption module, which renames files by appending a CRIMSON file extension but does not encrypt them. Once the files have been renamed and the extension removed, the files can be opened.