A new threat is in the wild targeting users with false ransomware campaigns. Identified as StrRAT, the malware is a potent data-stealing trojan. Yet, it masks itself as ransomware to fool victims and make money.
StrRAT Malware Masquerading As Ransomware
Microsoft Security Intelligence team has warned users about a new malware threat that poses as ransomware.
The malware, StrRAT, is a Java-based RAT running active campaigns in the wild. However, it tends to behave as ransomware (at least, to the victims) as it changes the file names on the infected devices by appending a “.crimson” extension without actually encrypting them.
StrRAT is under active distribution via phishing emails that include a malicious attachment. Downloading this attachment lets the malware connect with the server to download the actual payload.
Once downloaded on the system, the malware then starts stealing the data such as passwords, begins keylogging, runs remote commands and PowerShell, and executes other activities as it bears backdoor functionality.
Alongside these actives, it keeps renaming files making them unable to open via double-click. While a victim may believe it as ransomware activity. In reality, it happens only because of a change in the file name extension. Removing this extension can let the file open again.
Not A New Malware
StrRAT isn’t a new threat. Instead, it has existed for about a year and has carried on active campaigns. According to a detailed analysis by Karsten Hahn, StrRAT caught attention with its 1.2 version as it targeted Germans.
However, the latest analysis by Microsoft warns users of the StrRAT malware 1.5 version that continues behaving as ransomware.
We have also published advanced hunting queries to help defenders locate indicators and malicious behaviors related to STRRAT and similar threats in their environments: https://t.co/nwbUkn2DEQ
— Microsoft Security Intelligence (@MsftSecIntel) May 19, 2021
Users infected with StrRAT should first try to recover their files by removing the added extension from the file names. Though, this needs caution as doing so in case of a genuine ransomware attack may corrupt the file. Thus, it’s better to make such attempts on a test file first.
Besides, keeping the systems protected with robust anti-malware may also help fend off such attacks right away.