STRRAT | |
Type of Malware | Trojan |
Addittional Names | Strigoi |
Date of Initial Activity | 2020 |
Targeted Countries | Kazakhstan |
Associated Groups | Bloody Wolf |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
STRRAT, a sophisticated Java-based Remote Access Trojan (RAT), has garnered attention due to its extensive capabilities and growing presence in global malware campaigns. First identified in 2020, this malware is often distributed through malicious email attachments disguised as legitimate files, such as invoices or inquiries. Once executed, STRRAT unleashes a range of damaging features that allow attackers to gain full control over the victim’s system, steal sensitive information, and execute a variety of commands remotely. The malware’s ability to masquerade as a benign file while executing its malicious activities makes it a particularly dangerous threat to both individuals and organizations.
One of the key features of STRRAT is its modular design, which allows it to perform various functions based on the attacker’s needs. These include keylogging, file management, and credential theft, specifically targeting browsers and email clients for saved passwords. In addition to its data theft capabilities, STRRAT provides attackers with the ability to execute commands, manage files, and control system processes in real-time. This makes the malware highly versatile, as it can be used for a wide range of malicious purposes, from espionage to financial theft.
Targets
Information
How they operate
At the core of STRRAT’s operation is its initial delivery mechanism. The malware is typically distributed through phishing emails that contain a malicious JAR file. These files are often disguised as legitimate documents, such as invoices or inquiries, to trick victims into execution. Once executed, the JAR file acts as a dropper, deploying additional payloads onto the victim’s system. The malware often drops an obfuscated JavaScript file into the user’s directory, which contains Base64-encoded data that is crucial for the next stages of the attack. This JavaScript file, when decoded, drops further payloads—such as additional JAR files—used to establish communication with the command-and-control (C2) server.
STRRAT employs a number of techniques to maintain persistence and evade detection. One key persistence mechanism involves creating a Windows Registry Run key, which ensures the malware automatically executes upon system startup. This allows the attacker to maintain long-term access to the compromised system without requiring re-execution. Additionally, if the target machine lacks the required Java Runtime Environment (JRE), STRRAT is capable of downloading a bundled version from an external source. This is achieved through a function within the malware called “GrabJreFromNet,” which pulls a malicious version of JRE from an attacker-controlled server and installs it on the victim’s machine.
Once persistence is established, STRRAT enables remote access to the compromised system. The malware supports a wide range of commands, allowing attackers to execute tasks such as system shutdown, file management, and remote command execution. Some of the more advanced features include the ability to run PowerShell commands, manage files on the system, and even open a remote screen session to view the victim’s desktop. Keylogging functionality is also embedded in the malware, allowing attackers to capture keystrokes, including sensitive credentials, as they are entered by the user. STRRAT is particularly adept at stealing saved passwords from browsers like Chrome and Firefox, as well as email clients such as Outlook and Thunderbird.
STRRAT’s ability to exfiltrate data is another key component of its technical operation. The malware communicates with its C2 server via HTTP and HTTPS, sending stolen data—such as credentials and keylogged information—back to the attacker. This communication is often encrypted, making it difficult for traditional security tools to intercept and analyze the data being transmitted. STRRAT also employs obfuscation techniques, such as Base64 encoding, to hide its malicious code and evade detection by antivirus solutions. The use of these advanced obfuscation and encryption techniques allows STRRAT to operate under the radar for extended periods.
In conclusion, STRRAT’s technical capabilities make it a formidable threat in the cybersecurity landscape. From its initial dropper and persistence mechanisms to its remote access and data exfiltration features, this malware offers attackers extensive control over compromised systems. Its ability to evade detection through obfuscation and encrypted communication, combined with its versatility in executing various commands, positions STRRAT as a highly dangerous tool for cybercriminals. Understanding how STRRAT operates on a technical level is essential for defending against its attacks and mitigating the damage caused by this powerful malware.
MITRE Tactics and Techniques
1. Initial Access (T1071.001)
Phishing: STRRAT is typically delivered through email malspam campaigns containing malicious attachments (JAR files) that trick victims into downloading and executing the malware.
2. Execution (T1059.007, T1203)
User Execution: Malicious File: STRRAT requires users to manually execute a malicious JAR file, often disguised as a benign document.
JavaScript/Script Execution (T1059.007): The malware makes use of JavaScript to drop payloads or execute commands.
3. Persistence (T1547.001, T1053.005)
Registry Run Keys/Startup Folder (T1547.001): STRRAT creates a Windows Registry Run key to ensure it starts every time the system is rebooted or a user logs in.
Scheduled Task (T1053.005): STRRAT may also use scheduled tasks to maintain persistence on infected systems.
4. Privilege Escalation (T1134.001)
Access Token Manipulation (T1134.001): STRRAT can abuse Windows tokens to elevate privileges and perform actions under the context of a legitimate user.
5. Credential Access (T1003, T1555.003)
Credential Dumping (T1003): STRRAT attempts to steal credentials from the compromised system, specifically targeting saved passwords.
Credentials from Web Browsers (T1555.003): The malware is known to steal credentials from web browsers, including Chrome, Internet Explorer, and Firefox.
6. Discovery (T1082, T1057)
System Information Discovery (T1082): STRRAT gathers system information such as the operating system version, host details, and user accounts.
Process Discovery (T1057): It enumerates running processes to identify security software and other applications that may interfere with its execution.
7. Command and Control (T1071.001, T1071.002)
Application Layer Protocol (T1071.001): STRRAT communicates with its command-and-control (C2) server using HTTP and HTTPS to send and receive commands.
Standard Cryptographic Protocol (T1071.002): The malware may use encrypted communication channels to protect data in transit between the infected system and the attacker’s C2 server.
8. Exfiltration (T1041)
Exfiltration Over C2 Channel (T1041): STRRAT exfiltrates stolen data, such as credentials and keylogger data, to its C2 server over the same communication channel it uses for command and control.
9. Impact (T1489)
System Shutdown/Reboot (T1489): STRRAT can issue system shutdown or reboot commands to disrupt normal operations or erase traces of its activity.
10. Defense Evasion (T1140, T1027)
Deobfuscate/Decode Files or Information (T1140): STRRAT uses obfuscation techniques such as Base64 encoding to hide its malicious code and evade detection.
Obfuscated Files or Information (T1027): The malware’s payloads and configuration files are often obfuscated, making it difficult for traditional antivirus software to detect.