Microsoft on Thursday warned of a “huge e-mail marketing campaign” that is pushing a Java-based STRRAT malware to steal confidential knowledge from contaminated methods whereas disguising itself as a ransomware an infection.
“This RAT is notorious for its ransomware-like conduct of appending the file identify extension .crimson to recordsdata with out truly encrypting them,” the Microsoft Safety Intelligence group said in a collection of tweets.
The brand new wave of assaults, which the corporate noticed final week, commences with spam emails despatched from compromised e-mail accounts with “Outgoing Funds” within the topic line, luring the recipients into opening malicious PDF paperwork that declare to be remittances, however in actuality, hook up with a rogue area to obtain the STRRAT malware.
Moreover establishing connections to a command-and-control server throughout execution, the malware comes with a spread of options that enable it to gather browser passwords, log keystrokes, and run distant instructions and PowerShell scripts.
STRRAT first emerged within the risk panorama in June 2020, with German cybersecurity agency G Knowledge observing the Home windows malware (model 1.2) in phishing emails containing malicious Jar (or Java Archive) attachments.
“The RAT has a give attention to stealing credentials of browsers and e-mail shoppers, and passwords through keylogging,” G Knowledge malware analyst Karsten Hahn detailed. “It helps the next browsers and e-mail shoppers: Firefox, Web Explorer, Chrome, Foxmail, Outlook, Thunderbird.”
Its ransomware capabilities are at finest rudimentary in that the “encryption” stage solely renames recordsdata by suffixing the “.crimson” extension. “If the extension is eliminated, the recordsdata may be opened as standard,” Kahn added.
Microsoft additionally notes that model 1.5 is extra obfuscated and modular than earlier variations, suggesting that the attackers behind the operation are actively working to improvise their toolset. However the truth that the bogus encryption conduct stays unchanged indicators that the group could also be aiming to make fast cash off unsuspecting customers via extortion.
The symptoms of compromise (IoCs) related to the marketing campaign may be accessed through GitHub here.