Malware Analysis New Java STRRAT ships with .crimson ransomware module

[struppigel]

@upnorth shared a sample here that was the basis for this article. Enjoy

This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed.

Java is not commonly used for malware anymore and its runtime environment is not installed on as many systems as it was in the past. The more it seems surprising when new Java based malware families arise.
I am an active member of the forum malwaretips.com. A member of this forum, upnorth, shared a sample[2] to be used for testing Antivirus products. This sample[2] caught my attention. It was a Java archive but described as WSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong. This sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).

 

[upnorth]

The C&C server I recall possible saw also in another sample. I'll do a little search and come back with that information if I'm able to find it.

Great article btw!

 

[plat]

I apologize for possibly intruding. But seeing as this malware invokes Java, I'm asking whether OSArmor with at least these settings enabled would inhibit at least part--if not all--of this malware. I've seen a couple of instances where OSA announced it had blocked a process but the application opened anyway.

Spoiler

This software hasn't been updated in almost two years, but I'm looking for as many good reasons to keep using it as possible .

 

[upnorth]

Outlook prevents access to email attachments with .jar extension.

Microsoft implemented that in it's blacklist last year. Google does the same in Gmail, but don't know about other email services.

Microsoft Blacklists Dozens of New File Extensions in Outlook

In total, Microsoft has now blocked 142 file extensions that it deems as at risk or that are typically sent as malicious attachments in emails.

threatpost.com

1. Even though it is Java based, the RAT only works on Windows
2. Even though preparations have been made to overcome this, the current chain still needs a pre-installed JRE
3. Outlook blocks the email attachment

I expect that the second and third limitation may be removed soon because are already prepared or easily implemented.

New Java STRRAT ships with .crimson ransomware module

This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed.

www.gdatasoftware.com

 

[Andy Ful]

This sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).



View attachment 242866

This infection chain requires preinstalled Java. You probably have thought about the infection chain without "NEW ORDER.jar"?

 

[struppigel]

This infection chain requires preinstalled Java. You probably have thought about the infection chain without "NEW ORDER.jar"?

Please read the article and not only the preview
Sidenote: I also hoped the phraze "is prepared" makes clear that the feature is there but not necessarily used.

 

[Andy Ful]

...
Sidenote: I also hoped the phraze "is prepared" makes clear that the feature is there but not necessarily used.

Thanks. That makes sense.
I was somewhat fixed with the meaning "is prepared" ---> "is ready to use".
The infection chain looks like the attacker used Java dropper to reuse the sample [3] (VBS/Java RAT) which was already prepared to work without preinstalled Java.