STRRAT

STRRAT is a Remote Access Trojan or RAT that attackers can use for controlling Windows PCs. Its campaign uses spam e-mail to deliver the Trojan, which includes features associated with data theft and blocking media files. Users should change passwords after infection and remove STRRAT with a trusted anti-malware product, and keep backups for recovering blocked data.

Trojans Double-Dealing with Every Possible Danger

Although Remote Access Trojans are a well-known hallmark of sensitive intelligence-collecting ops, they also can be just as lowbrow and profit-motivated as the latest STOP Ransomware release. STRRAT, a Remote Access Trojan with a diverse hand of attacks at its disposal, lies more on the profitability motive. Its current infection method and dependencies imply plans for spreading to even more victims in the coming days.

STRRAT is a Windows-specific Trojan, and also Java-based. Its campaign uses fake order documents attached to e-mails for infecting PCs. One of the most interesting 'missed opportunities' in its installation routine is the fact that the loader can install the Java Runtime Environment and update it if necessary. However, it still requires JRE for activating in the first place. This self-contradiction is one of several clues that lead malware researchers into classifying STRRAT as being an in-progress or in-development project, even though it's out in the wild.

STRRAT uses Registry system persistence and protects its identity from threat-detecting software via Allatori AES encryption. Its attack features are dividable into several components and themes:

• The RAT uses a third-party mouse and keyboard listener for keylogging, or monitoring and recording keyboard strokes.
• However, the Trojan specializes in exfiltrating credentials like passwords from e-mail clients and browsers, including Chrome, Outlook and others.
• It uses RDPWrap as a general-purpose remote administration tool for letting the attacker control the system through custom inputs.
• It also has various commands for modifying the system or its files, such as forcing reboots, disconnecting, executing CMD commands, etc.

The file-locking component is particularly telling of STRRAT's motivations. It renames files by appending extensions ('crimson,' currently), but doesn't leverage any data encryption. Future updates are very likely to change this limitation since victims can rename their files' extensions and recover them quickly.

Cutting Your PC Out of a Trojan's Grasp for Data

STRRAT is targeting German PC users in its latest attacks, but nothing prevents it from running on Windows systems elsewhere. While Java is well-known for its theoretical cross-compatibility and porting advantages, STRRAT's code is highly Windows-based. Malware experts don't anticipate infections in Linux, Android or macOS environments. However, the theft of passwords and credentials can endanger other devices indirectly through hackers' ongoing efforts.

Users should remain cautious of opening e-mail attachments in general, which tend to deliver high-level threats of various stripes, including RATs and file-locker Trojans like STRRAT. In most scenarios, the attached file is a corrupted document or a fake (intentionally misnamed) one. STRRAT is an exception for not disguising its 'JAR' format – a Java archive that's equivalent to a ZIP.

Even though STRRAT hides its features and uses a multi-stage delivery system, many anti-malware products' databases are sufficient at identifying it. Most professional threat removal products should delete STRRAT and its Trojan dropper as a default action for protecting your computer.

STRRAT is more half-baked than most of the current threats that are as invasive as RATs. Even in an unpolished form, it has more than enough danger for delivering any computer owner's files or logins into the wrong hands.