• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.
• STRRAT version 1.6 has evolved from its previous variants and has been actively distributed since March 2023. It has been detected in the wild using various infection chains.
• The malware retains its key functionalities, which include targeting popular web browsers like Chrome, Firefox, and Internet Explorer, as well as widely used email clients such as Outlook, Thunderbird, and Foxmail.
In 2020, STRRAT, a Java-based Remote Access Trojan (RAT), emerged with a diverse set of functionalities, enabling activities like keylogging and pilfering credentials from browsers and email clients. Additionally, it has been detected incorporating a “Crimson” Ransomware module. Over time, since its initial discovery, STRRAT has continuously evolved and employed various infection chains.
Cyble Research And Intelligence Labs (CRIL) recently identified a new infection technique used to distribute STRRAT. This new method involves the distribution of STRRAT version 1.6, which utilizes two string obfuscation techniques. Detailed information about these techniques can be found in the technical analysis section.
The figure below shows the infection flow:
The infection initiates through a spam email sent to the target, which pretends to come from an electronic-based company. The email contains an attached PDF file, which is presented as an invoice.
After opening the PDF attachment, a download image is displayed within the PDF. When clicked, it downloads a zip file named “Invo-0728403.zip” from the URL hxxps://tatchumbemerchants[.]co.ke/Invo-0728403[.]zip.
Upon checking the file type, it becomes evident that the one with the “.txt” extension is, in fact, a disguised zip (JAR) file. After extracting its contents, a folder named “carLambo” and META-INF is revealed, containing classes, resources, and a MANIFEST.MF file. The presence of the “carLambo” package name indicates that the file is the STRRAT malware.
In our analysis of STRRAT, we discovered that the class names had undergone modifications, unlike the previous variant, where all the class names were gibberish. Furthermore, we observed that STRRAT currently utilizes two string obfuscators, namely “Allatori” and “Zelix KlassMaster (ZKM).” The previous variants were observed using only the “Allatori” obfuscator.
As shown in Figure 8, there are two methods for string deobfuscation. First, the string deobfuscation will be executed for “Zelix KlassMaster”.
The figure below shows the code after ZKM deobfuscation.
After completing the ZKM deobfuscation process, the next step involves deobfuscating the strings against the Allatori obfuscator.
The figure below illustrates the JAR file containing the now-readable strings.
Upon analyzing the deobfuscated JAR file, we came across the “ad.class” file, which points to the presence of a new version of the STRRAT malware (version 1.6). This variant has been actively distributed since March 2023 and disseminated through various infection chains. Over 70 samples of this particular version have been identified in the wild.
To maintain persistence, the RAT creates a task scheduler entry using the name “Skype,” as shown below.
Similar to previous versions of STRRAT, version 1.6 also utilizes an encrypted config.txt file to store the Command and Control (C&C) server information. The config.txt file is encoded with Base64 and encrypted using AES encryption.
The decrypted strings from the config.txt file are shown below:
Our analysis showed that STRRAT version 1.6 retains the same functionalities as its previous versions. It continues to target popular web browsers like Chrome, Firefox, and Internet Explorer, along with widely used email clients such as Outlook, Thunderbird, and Foxmail. It steals sensitive information from the victim’s machine.
Once STRRAT connects to the C&C server, it can execute the below commands:
|reboot||Reboots the system|
|shutdown||Shutdowns the system|
|uninstall||Deleting Scheduled task|
|disconnect||Disconnects socket connection|
|down-n-exec||Downloads and executes the file|
|update||Executes the file received from the server|
|up-n-exec||Executes the file with extension .jar, .js, .vbs, .wsf|
|remote-cmd||Executing commands using cmd.exe|
|power-shell||Executing commands using powershell.exe|
|file-manager||Executing commands related to file operations|
|keylogger||Sends Keylog file|
|o-keylogger||Starts offline keylogging|
|processes||Interacts with running processes|
|h-browser||Creates Strigoi Browser using Firefox or Chrome|
|startup-list||Prepares an autorun list to automatically run during system startup or user logon.|
|remote-screen||Allows remote control of the system|
|rev-proxy||Creates reverse proxy|
|hrdp-new||Installs Hidden RDP Installer|
|hrdp-res||Restore hidden RDP sessions|
|chrome-pass||Retrieve Chrome credentials|
|foxmail-pass||Retrieve Foxmail credentials|
|outlook-pass||Retrieve Outlook credentials|
|fox-pass||Retrieve Firefox credentials|
|tb-pass||Retrieve Thunderbird credentials|
|ie-pass||Retrieve Internet Explorer credentials|
|all-pass||Retrieve credentials for all targeted browser and email clients|
|chk-priv||Check user privileges|
|req-priv||Attempts to get administrator privileges|
|rw-encrypt||Encrypt files and stores with the “.crimson” extension|
|show-msg||Show ransom message|
|screen-on||Used to keep the screen on|
The analysis of the STRRAT malware, particularly version 1.6, reveals the continuous evolution and sophistication of this Java-based Remote Access Trojan. Since its emergence in 2020, STRRAT has undergone significant modifications, making it a persistent threat to cybersecurity.
The presence of over 70 samples of STRRAT version 1.6 in the wild indicates an active and ongoing campaign by the TA, underlining the urgency for organizations to remain vigilant against this threat.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
• Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.
• Deploy robust endpoint security solutions that include antivirus, anti-malware, and anti-ransomware software. Keep these security tools up-to-date to ensure protection against the latest threats.
• Utilize URL filtering mechanisms to block access to known malicious websites and domains. This can prevent users from inadvertently downloading malware from malicious URLs.
• Conduct regular cybersecurity training sessions for employees, educating them about the latest threats, phishing techniques, and the importance of being cautious with email attachments and links. Make them aware of the risks of downloading and executing files from unknown sources.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1566.001||Phishing: Spearphishing Attachment|
|Execution||T1204.002||User Execution: Malicious File|
|Execution||T1059.001||Command and Scripting Interpreter: PowerShell|
|Execution||T1059.003||Command and Scripting Interpreter: Windows Command Shell|
|Execution||T1053.005||Scheduled Task/Job: Scheduled Task|
|Persistence||T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information|
|Defense Evasion||T1027.009||Obfuscated Files or Information: Embedded Payloads|
|Credential Access||T1555.003||Credentials from Password Stores: Credentials from Web Browsers|
|Collection||T1056.001||Input Capture: Keylogging|
|Exfiltration||T1041||Exfiltration Over C2 Channel|
|Impact||T1486||Data Encrypted for Impact|
Indicators of Compromise (IOCs)
2030358 — ET MALWARE STRRAT CnC Checkin
2030359 — ET MALWARE STRRAT Initial HTTP Activity
2030360 — ET MALWARE STRRAT Requesting License Check
2044912 — ET DELETED Hash – STRRAT (ja3)
author = “Cyble”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample = “c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20”
$a = “tcejbOetaerC”
$b = “noitisoP”
$c = “teSrahC”
$d = “txeTdaeR”
$e = “sH1n3k0”
($a or $b or $c or $d) and $e
author = “Cyble”
description = “Detects STRRAT jar Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample = “9714dce49616e48fc4851d05453056939ab08bf140fe9a786616fa914debb4f4”
$a = “carLambo/WinGDI.class”
$b = “carLambo/FirstRun.class”
$c = “carLambo/resources/config.txt”
uint16(0) == 0x4b50 and all of them
Create a rule that blocks the execution of the “javaw.exe” process if it originates from “Wscript.exe.” Additionally, the rule should target cases where the command line parameter of “javaw.exe” is directed to the “%appdata%” path and the file extension being executed is “.txt”.
Disclaimer: The provided detection guidance rules are purely illustrative and should not be directly implemented in a production environment without proper testing, validation, and consideration of potential impacts on system performance and security. Always exercise caution when implementing security rules or policies, and ensure you fully understand the consequences of any changes made to your system or network.