Microsoft: Massive malware campaign delivers fake ransomware

Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,497
Content source
https://www.bleepingcomputer.com/news/microsoft/microsoft-massive-malware-campaign-delivers-fake-ransomware/
A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.
In a series of tweets, the Microsoft Security Intelligence team outlined how this "massive email campaign" spread the fake ransomware payloads using compromised email accounts.
The spam emails lured the recipients into opening what looked like PDF attachments but instead were images that downloaded the RAT malware when clicked.
"The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware," Microsoft said.
"This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them."
Click to expand...
www.bleepingcomputer.com

Microsoft: Massive malware campaign delivers fake ransomware

A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.
www.bleepingcomputer.com www.bleepingcomputer.com

I think @struppigel can tell you guys more about this. (y)
 
  • Like
  • +Reputation
  • Thanks
Reactions: Berny, plat, Stopspying and 15 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,130
Scripts (including JAR files) are blocked in Outlook and Gmail. So, if one has installed Java in the system it is recommended to use Outlook, Gmail, etc., which can block opening script attachments from emails. Unfortunately, many email clients and email service providers allow opening script attachments.:(

Attachments blocked by Outlook:

Blocked attachments in Outlook - Microsoft Support

Some attachment file types are automatically blocked because of their potential for introducing a virus into your computer.
support.microsoft.com support.microsoft.com

Attachments blocked by Gmail

File types blocked in Gmail - Gmail Help

There are a number of reasons why you may find the "This message was blocked because its content presents a potential security issue" error in Gmail. Gmail blocks messages that may spread viruses, lik
support.google.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: Berny, Zartarra, plat and 15 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Andy Ful said:
Scripts (including JAR files) are blocked in Outlook and Gmail. So, if one has installed Java in the system it is recommended to use Outlook, Gmail, etc., which can block opening script attachments from emails. Unfortunately, many email clients and email service providers allow opening script attachments.:(
Click to expand...

The version that I analysed one year ago indeed contained a .JAR file as attachment. But the new version mentioned by Microsoft is delivered via something that looks like a PDF. I could not determine from the Microsoft tweets if it is actually a PDF or a file posing as one. They don't say.

Anyways I assume the StrRAT threat actors have done improvements to their infection chain and also their malware, seeing that there is a new version number. The whole infection chain might be working without pre-installed Java by now.
 
  • Like
  • Wow
  • +Reputation
Reactions: blumdumdoo, silversurfer, Berny and 13 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,130
struppigel said:
The version that I analysed one year ago indeed contained a .JAR file as attachment. But the new version mentioned by Microsoft is delivered via something that looks like a PDF. I could not determine from the Microsoft tweets if it is actually a PDF or a file posing as one. They don't say.

Anyways I assume the StrRAT threat actors have done improvements to their infection chain and also their malware, seeing that there is a new version number. The whole infection chain might be working without pre-installed Java by now.
Click to expand...
It seems to be a common drive-by attack:
"The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware."


I also found one sample (initial attack via JS script):
https://app.any.run/tasks/8409bd89-fe8c-4cb6-954b-4834d9621432/

There are many STRRAT samples on Any.Run, one has to click the "strrat" below "Total time" on the above analysis webpage.
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: silversurfer, Berny, upnorth and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,130
Here is an example from Any.Run:
app.any.run

Analysis https://gossyexperience.co.uk Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run app.any.run

In this attack the STRRAT malware is delivered via malicious URL.

The user is redirected to the webpage with captcha (to be more convincing):
1621715507735.png


After passing by the captcha the malware is downloaded to disk with the information that the file can harm the computer:

1621715577420.png


If the user will choose to keep it, the malware can be run from the Downloads folder:

1621715639439.png
 
Last edited by a moderator:
  • Like
  • +Reputation
Reactions: blumdumdoo, Venustus, Berny and 6 others
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,497
  • Like
  • HaHa
Reactions: Venustus, Berny, upnorth and 4 others
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,497
wat0114 said:
Okay thanks. I'm curious then what might happen if the same samples were run on Windows 10, 64 bit, with its built-in Defender settings at at Default?
Click to expand...
It also depends on the browser that is used if the site is blocked or not. The website from where the sample was dropped still is up at the moment, but I think it doesn't have any malicious content anymore as far as I can see (didn't fully check it out). Also the sample wasn't run in that example, he only downloaded the file.
 
  • Like
Reactions: Venustus, ZeePriest, ForgottenSeer 85179 and 1 other person
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
SecureKongo said:
It also depends on the browser that is used if the site is blocked or not. The website from where the sample was dropped still is up at the moment, but I think it doesn't have any malicious content anymore as far as I can see (didn't fully check it out). Also the sample wasn't run in that example, he only downloaded the file.
Click to expand...
Of course, that makes sense. I use uBlock Origin extension on Medium mode, with some additional hardening filters, in both Firefox and Ungoogled-Chromium, so I would expect that alone would block it.
 
  • Like
Reactions: Venustus, ZeePriest and Kongo
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,497
wat0114 said:
Of course, that makes sense. I use uBlock Origin extension on Medium mode, with some additional hardening filters, in both Firefox and Ungoogled-Chromium, so I would expect that alone would block it.
Click to expand...
Not sure, as I never really used uBlock Origin before. Does it even have any malware block-listes? However I don't like depending on the web-protection of any extension or security software. NextDNS is great at preventing you from visiting malicious sites by having things like Typosquatting protection and the blocking of newly registered domains (blocks domains that are newer than 30 days).
 
  • Like
  • +Reputation
Reactions: Venustus, ZeePriest and ForgottenSeer 85179
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
SecureKongo said:
Not sure, as I never really used uBlock Origin before. Does it even have any malware block-listes?
Click to expand...
Yes there are a number of malware block lists that can be used, and then it will block iframes and 3rd-party scripts in Medium mode, along with ads. I might try NextDNS one of these days.
 
  • Like
Reactions: Venustus and Kongo
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,497
wat0114 said:
BTW, the reason I asked about the older looking O/S is because I've seent his sort of thing before where testing a latest malware sample was done on an older O/S, and that rather puzzles me; why not test them on the latest O/S, Windows 10 in this case, especially with 64 bit?
Click to expand...
Cause AnyRun only offers Windows 7 32 bit in the free version. Otherwise you have to pay monthly which is too pricy for an average user I guess...

Subscription Plans - ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run app.any.run
 
  • Like
Reactions: Andy Ful, silversurfer, ForgottenSeer 85179 and 3 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
wat0114 said:
BTW, the reason I asked about the older looking O/S is because I've seent his sort of thing before where testing a latest malware sample was done on an older O/S, and that rather puzzles me; why not test them on the latest O/S, Windows 10 in this case, especially with 64 bit?
Click to expand...
Depends what you mean by testing.
I would not test security products on outdated OS. That would be unfair.
But for analysis I run malware on outdated OS because it increases the likelyhood that I get to see malicious behaviour.
 
  • Like
Reactions: Andy Ful, silversurfer, wat0114 and 5 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
struppigel said:
But for analysis I run malware on outdated OS because it increases the likelyhood that I get to see malicious behaviour.
Click to expand...
Interesting! This is what I mean; I would have thought it more pertinent to the current effectiveness of the malware to test it on newer O/S' because more people are running Windows 10 than older Windows versions. That said, I understand your reasoning.
 
  • Like
Reactions: Venustus, Kongo, silversurfer and 1 other person
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Maybe it's interesting for some people: another free samples analysis service "Triage" there it's possible running samples even on Windows 10 x64

On link below we can see the same sample Scanned-Doc.js time stamp was on the same day (21-04-20) compared to AnyRun posted by @Andy Ful

305c943edc6a19014d64ad5d8709ca362e6289b0acba244eb833da08f96214d7 | Triage

Check this report malware sample 305c943edc6a19014d64ad5d8709ca362e6289b0acba244eb833da08f96214d7, with a score of 7 out of 10.
tria.ge tria.ge


Below a new analysis done a few minutes ago, as expected, sample doesn't work anymore compared to the first link above from 21-04-20

305c943edc6a19014d64ad5d8709ca362e6289b0acba244eb833da08f96214d7 | Triage

Check this report malware sample 305c943edc6a19014d64ad5d8709ca362e6289b0acba244eb833da08f96214d7, with a score of 4 out of 10.
tria.ge tria.ge
 
  • Like
  • Thanks
  • +Reputation
Reactions: upnorth, Venustus, ForgottenSeer 85179 and 4 others
You must log in or register to reply here.

Similar threads

vtqhtr413
    • +Reputation
    • Like
    • Applause
Malware News New Vcurms Malware Targets Popular Browsers for Data Theft
Replies
0
Views
765
Security News
vtqhtr413
vtqhtr413
silversurfer
    • Like
    • +Reputation
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
Replies
0
Views
884
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Phishing impersonates shipping giant Maersk to push STRRAT malware
Replies
1
Views
550
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top