Posted on May 25, 2021 at 7:19 AM
Microsoft has warned that a massive email campaign is utilizing STRRAT malware to extort sensitive data from users. According to the report, the email campaign is masquerading as a ransomware attack.
The cybersecurity unit of the tech giant reported about the malware activities and added that STRRAT, based in Java, appends .crimson file names without even encrypting them.
The malware collects passwords and logs keystrokes
Microsoft says the threat actors initiate the attack using spam emails retrieved from compromised accounts.
The emails contain the subject line:” Outgoing Payments”. It further cajoles the users to open the file, which contains malware.
According to the PDF claim, the file is a transaction detail. However, in reality, it is a domain that downloads the STRRAT malware.
After the malware is downloaded, it connects to the C2 (command-and-control) server of the threat actors and starts initiating malware operations.
The Microsoft cybersecurity team described the analytical activities of the malware, saying that it collects passwords, logs keystrokes, and runs PowerShell scripts as well as remote commands.
The malware was initially detected in June last year after cybersecurity firm G Data discovered a Java-based Windows malware found in phishing emails. The file is an attachment that can be downloaded by unsuspecting victims.
The G Data stated that STRRAT takes priority in stealing the email and browser credentials of users through keylogging. It is highly potent because it’s being supported by email clients and browsers such as Outlook, Thunderbird, Foxmail, Chrome, Internet Explorer, and Firefox.
Malware’s capability still at a rudimentary level
Microsoft said the capability of the malware is still at its basic level, with the encryption phase-only renaming the .crimson extension. The files can be accessed manually if the extension is removed.
However, the bogus encryption is still the same, which shows that the campaign may be looking for quick money by extorting money from unsuspecting users.
But Microsoft says the malicious group running STRRAT are constantly improving the malware’s capabilities. As a result, the recent version 1.5 is more advanced and modular than previous versions.
The Java-based STRRAT malware distracts victims by acting like ransomware while creating a backdoor into the infected systems.
According to the researchers, the more recent version of the malware is “notably more obfuscated and modular than previous versions”
The malware adds the .crimson file name extension and hides the fact that the computer has been infected with a remote access Trojan.
The threat actors are still busy distributing the STRRAT malware, which indicates that the criminals are still trying to infect more computers with the virus.
Considering how the malware succeeded in gaining access to the victims’ usernames and passwords, those whose accounts have been compromised may likely see their email accounts abused by threat actors in the future. The security researchers say they could be victims of further exploits of phishing emails using the STRRAT malware.
Avoiding being a victim
Since the malware campaign depends on phishing emails, users have been advised on what they can do to prevent being victims of the attack. They should be vigilant of unusual or unexpected messages, especially those that seem to offer financial incentives. They should also be careful when opening emails and attachments from strange email addresses.
It’s also very helpful to install strong antivirus software to identify threats and prevent malicious emails from gaining access to inboxes. This will take away the risk of the user opening the message clicking on the link to enable the malware.
Users have also been advised to be wary of replying to any message offering promotions even if it looks genuine. Threat actors have mastered the act of cloning popular websites, making the fake sites look genuine. If they are deceived into clicking on the website link, the malware may flood into their system. They should rather use the browser address bar to type the name of the website and confirm whatever information they receive.