The Microsoft security team warned of a new malware campaign in which threat actors are spreading a remote access Trojan (RAT) named STRRAT, which steals data from infected systems. The malware is notable for the fact that it disguises itself as ransomware.

Cybercriminals spread the Trojan by sending mass spam emails with malicious attachments. Emails are sent from compromised accounts. The attachment looks like a PDF document, but when opening, it connects to a malicious domain and downloads malware.

First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts. The Trojan has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.

STRRAT could dump and steal credentials from the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook and Thunderbird. The malware can also run custom web-shell or PowerShell commands received from an attacker’s server. This allows them to take full control over an infected host any time they wish.

The main distinguishing feature of STRRAT, as already mentioned above, is the encryption function. However, all "encryption" only renames files by appending the .crimson extension. A file with this extension cannot be opened anymore, but it is enough to simply remove the extension and the file can be opened as usual.

Source: securitylab.ru