STRRAT’s Latest Version Incorporates Dual Obfuscation Layers


Key Takeaways


• The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.
• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.
• STRRAT version 1.6 has evolved from its previous variants and has been actively distributed since March 2023. It has been detected in the wild using various infection chains.
• The malware retains its key functionalities, which include targeting popular web browsers like Chrome, Firefox, and Internet Explorer, as well as widely used email clients such as Outlook, Thunderbird, and Foxmail.



In 2020, STRRAT, a Java-based Remote Access Trojan (RAT), emerged with a diverse set of functionalities, enabling activities like keylogging and pilfering credentials from browsers and email clients. Additionally, it has been detected incorporating a “Crimson” Ransomware module. Over time, since its initial discovery, STRRAT has continuously evolved and employed various infection chains.

Cyble Research And Intelligence Labs (CRIL) recently identified a new infection technique used to distribute STRRAT. This new method involves the distribution of STRRAT version 1.6, which utilizes two string obfuscation techniques. Detailed information about these techniques can be found in the technical analysis section.

The figure below shows the infection flow:

STRRAT, Infection chain
Figure 1 – STRRAT Infection chain.png


Initial Infection


The infection initiates through a spam email sent to the target, which pretends to come from an electronic-based company. The email contains an attached PDF file, which is presented as an invoice.

Spam, email, Phishing
Figure 2 – Spam email with a PDF attachment


After opening the PDF attachment, a download image is displayed within the PDF. When clicked, it downloads a zip file named “” from the URL hxxps://tatchumbemerchants[.][.]zip.

PDF, Malware, Attachment
Figure 3 – Malicious PDF attachment

Inside the downloaded Zip file, there is a JavaScript file that contains the encrypted payload of STRRAT.

JavaScript, ZIP, file
Figure 4 – Zip contains Javascript file
JavaScript, STRRAT
Figure 5 – JavaScript file

When executed, the Javascript file decrypts the payload within it and drops the file “lypbtrtr.txt” into the “\AppData\Roaming” directory.

JavaScript, .txt
Figure 6 – JavaScript drops a file with .txt extension.

Upon checking the file type, it becomes evident that the one with the “.txt” extension is, in fact, a disguised zip (JAR) file. After extracting its contents, a folder named “carLambo” and META-INF is revealed, containing classes, resources, and a MANIFEST.MF file. The presence of the “carLambo” package name indicates that the file is the STRRAT malware.

Figure 7 – JAR file content

Technical Analysis


In our analysis of STRRAT, we discovered that the class names had undergone modifications, unlike the previous variant, where all the class names were gibberish. Furthermore, we observed that STRRAT currently utilizes two string obfuscators, namely “Allatori” and “Zelix KlassMaster (ZKM).” The previous variants were observed using only the “Allatori” obfuscator.

JAR, Obfuscated classes
Figure 8 – JAR file with obfuscated classes

As shown in Figure 8, there are two methods for string deobfuscation. First, the string deobfuscation will be executed for “Zelix KlassMaster”.
The figure below shows the code after ZKM deobfuscation.

ZKM, code, deobfuscation
Figure 9 – ZKM deobfuscated code

After completing the ZKM deobfuscation process, the next step involves deobfuscating the strings against the Allatori obfuscator.

The figure below illustrates the JAR file containing the now-readable strings.

Allatori, Obfuscator, Code
Figure 10 – Code after Allatori obfuscator

Upon analyzing the deobfuscated JAR file, we came across the “ad.class” file, which points to the presence of a new version of the STRRAT malware (version 1.6). This variant has been actively distributed since March 2023 and disseminated through various infection chains. Over 70 samples of this particular version have been identified in the wild.

STRRAT, Deobfuscated file
Figure 11 – Strings in the file indicate the new version of STRRAT


Persistence mechanism:


To maintain persistence, the RAT creates a task scheduler entry using the name “Skype,” as shown below.

Task Scheduler, STRRAT
Figure 12 – Creates a task scheduler

Similar to previous versions of STRRAT, version 1.6 also utilizes an encrypted config.txt file to store the Command and Control (C&C) server information. The config.txt file is encoded with Base64 and encrypted using AES encryption.

C&C, Config.txt
Figure 13 – Fetched C&C data from config.txt file

The decrypted strings from the config.txt file are shown below:

Decrypted strings, config.txt, STRRAT
Figure 14 – Decrypted strings from config.txt file


Our analysis showed that STRRAT version 1.6 retains the same functionalities as its previous versions. It continues to target popular web browsers like Chrome, Firefox, and Internet Explorer, along with widely used email clients such as Outlook, Thunderbird, and Foxmail. It steals sensitive information from the victim’s machine.

STRRAT, Browsers, email clients, target
Figure 15 – STRRAT targeting browsers and email clients

C&C communication:


Once STRRAT connects to the C&C server, it can execute the below commands:

Command Description
reboot Reboots the system
shutdown Shutdowns the system
uninstall Deleting Scheduled task
disconnect Disconnects socket connection
down-n-exec Downloads and executes the file
update Executes the file received from the server
up-n-exec Executes the file with extension .jar, .js, .vbs, .wsf
remote-cmd Executing commands using cmd.exe
power-shell Executing commands using powershell.exe
file-manager Executing commands related to file operations
keylogger Sends Keylog file
o-keylogger Starts offline keylogging
processes Interacts with running processes
h-browser Creates Strigoi Browser using Firefox or Chrome
startup-list Prepares an autorun list to automatically run during system startup or user logon.
remote-screen Allows remote control of the system
rev-proxy Creates reverse proxy
hrdp-new Installs Hidden RDP Installer
hrdp-res Restore hidden RDP sessions
chrome-pass Retrieve Chrome credentials
foxmail-pass Retrieve Foxmail credentials
outlook-pass Retrieve Outlook credentials
fox-pass Retrieve Firefox credentials
tb-pass Retrieve Thunderbird credentials
ie-pass Retrieve Internet Explorer credentials
all-pass Retrieve credentials for all targeted browser and email clients
chk-priv Check user privileges
req-priv Attempts to get administrator privileges
rw-encrypt Encrypt files and stores with the “.crimson” extension
rw-decrypt Decrypts file
show-msg Show ransom message
screen-on Used to keep the screen on



The analysis of the STRRAT malware, particularly version 1.6, reveals the continuous evolution and sophistication of this Java-based Remote Access Trojan. Since its emergence in 2020, STRRAT has undergone significant modifications, making it a persistent threat to cybersecurity.

The distribution of STRRAT through spam emails, disguising the payload inside a JavaScript file downloaded via a PDF attachment, showcases the Threat Actor’s (TA’s) efforts to conceal its presence and evade detection. The integration of two string obfuscation techniques, “Zelix KlassMaster” and “Allatori,” further complicates the analysis process and demonstrates the threat actor’s dedication to improving the malware’s evasion capabilities.

The presence of over 70 samples of STRRAT version 1.6 in the wild indicates an active and ongoing campaign by the TA, underlining the urgency for organizations to remain vigilant against this threat.

Our Recommendations


We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
• Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.
• Deploy robust endpoint security solutions that include antivirus, anti-malware, and anti-ransomware software. Keep these security tools up-to-date to ensure protection against the latest threats.
• Utilize URL filtering mechanisms to block access to known malicious websites and domains. This can prevent users from inadvertently downloading malware from malicious URLs.
• Conduct regular cybersecurity training sessions for employees, educating them about the latest threats, phishing techniques, and the importance of being cautious with email attachments and links. Make them aware of the risks of downloading and executing files from unknown sources.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques


Tactic Technique ID Technique Name
Initial Access T1566.001 Phishing: Spearphishing Attachment
Execution T1204.002 User Execution: Malicious File
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1053.005 Scheduled Task/Job: Scheduled Task
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1027.009 Obfuscated Files or Information: Embedded Payloads
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Collection T1056.001 Input Capture: Keylogging
Discovery T1418 Software Discovery
Exfiltration T1041 Exfiltration Over C2 Channel
Impact T1486 Data Encrypted for Impact

Indicators of Compromise (IOCs)


Indicators Indicator Type Description









Spam email







PDF attachment







JavaScript Dropper







talibangeneral[.]dynamic-dns[.]net Domain


C&C server
hxxp://jbfrost[.]live/strigoi/server/?hwid=1&lid=m&ht=5 URL


C&C server










SHA256 JavaScript Dropper











ET Rules


2030358 — ET MALWARE STRRAT CnC Checkin

2030359 — ET MALWARE STRRAT Initial HTTP Activity

2030360 — ET MALWARE STRRAT Requesting License Check

2044912 — ET DELETED Hash – STRRAT (ja3)


YARA Rules


rule strrat_javascript_dropper
author = “Cyble”
description = “Detects STRRAT Javascript Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample = “c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20”

$a = “tcejbOetaerC”
$b = “noitisoP”
$c = “teSrahC”
$d = “txeTdaeR”
$e = “sH1n3k0”

($a or $b or $c or $d) and $e

rule strrat

author = “Cyble”
description = “Detects STRRAT jar Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample = “9714dce49616e48fc4851d05453056939ab08bf140fe9a786616fa914debb4f4”

$a = “carLambo/WinGDI.class”
$b = “carLambo/FirstRun.class”
$c = “carLambo/resources/config.txt”

uint16(0) == 0x4b50 and all of them

Detection Guidance


Create a rule that blocks the execution of the “javaw.exe” process if it originates from “Wscript.exe.” Additionally, the rule should target cases where the command line parameter of “javaw.exe” is directed to the “%appdata%” path and the file extension being executed is “.txt”.



Disclaimer: The provided detection guidance rules are purely illustrative and should not be directly implemented in a production environment without proper testing, validation, and consideration of potential impacts on system performance and security. Always exercise caution when implementing security rules or policies, and ensure you fully understand the consequences of any changes made to your system or network.

Scroll to Top