Introduction STRRAT was discovered earlier this year as a Java-based Remote Access Tool (RAT) that does not require a preinstalled Java Runtime Environment (JRE). It has been distributed through malicious spam (malspam) during 2021. Today's diary reviews an infection generated using an Excel spreadsheet discovered on Monday, 2021-08-30. During this infection, STRRAT was installed with its own JRE environment. It was part of a zip archive that contained JRE version 8 update 261, a .jar file for STRRAT, and a command script to run STRRAT using JRE from the zip archive.
The Excel spreadsheet This Excel spreadsheet was submitted to bazaar.abuse.ch on Monday 2021-08-30. It likely was distributed through email, since previously-documented examples like this one were distributed through email.
Initial infection activity If a victim opens the spreadsheet and enables macros on a vulnerable Windows host, the macro code generates unencrypted HTTP traffic to 54.202.26[.]55. Testing the spreadsheet in a lab environment, we saw an HTTP GET request that returned approximately 18.7 kB of ASCII symbols with no letters or numbers.
The second HTTP request to the same IP address returned a zip archive that was approximately 72.1 MB.
The zip was saved under a newly-created at C:\User (very close in spelling to C:\Users), then the contents were extracted, and the saved zip archive was deleted.
Infection traffic RAT-based post-infection traffic is often easy to spot, since many RATs use non-web-based TCP ports. Furthermore, traffic for the initial zip archive was over unencrypted HTTP. Finally, we saw HTTPS traffic to legitimate domains from Github and maven.org that appeared to be caused by the infection process.
Indicators of Compromise (IOCs) The following malware was retrieved from an infected Windows host: SHA256 hash: f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9
SHA256 hash: cd6f28682f90302520ca88ce639c42671a73dc3e6656738e20d2558260c02533
SHA256 hash: 685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675
The following traffic occured on an infected Windows host:
Final words This specific STRRAT infection was notable because it included JRE version 8 update 261 as part of the infection package. Including JRE allows this Java-based RAT to run on vulnerable Windows hosts whether or not they have Java installed. The host I used for testing had a more recent version of Java, but this sample didn't care. It sent its own version of JRE anyway. Fortunately, default security settings in Windows 10 and Microsoft Office should prevent this particular STRRAT infection chain. Mass-distribution methods like malspam remain cheap and profitable for cyber criminals, so we expect to see STRRAT and other types of commonly-distributed malware in the coming months. A pcap of the infection traffic and malware from the infected host can be found here. --- Brad Duncan |
Brad 436 Posts ISC Handler Sep 1st 2021 |
Thread locked Subscribe |
Sep 1st 2021 9 months ago |
Sign Up for Free or Log In to start participating in the conversation!