Malware analysis New Java STRRAT ships with .crimson ransomware module

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
241
@upnorth shared a sample here that was the basis for this article. Enjoy :)

This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed.

Java is not commonly used for malware anymore and its runtime environment is not installed on as many systems as it was in the past. The more it seems surprising when new Java based malware families arise.
I am an active member of the forum malwaretips.com. A member of this forum, upnorth, shared a sample[2] to be used for testing Antivirus products. This sample[2] caught my attention. It was a Java archive but described as WSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong. This sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).

JavaRAT_infectionchain2.png
 

plat1098

Level 22
Verified
Sep 13, 2018
1,196
I apologize for possibly intruding. But seeing as this malware invokes Java, I'm asking whether OSArmor with at least these settings enabled would inhibit at least part--if not all--of this malware. I've seen a couple of instances where OSA announced it had blocked a process but the application opened anyway.

osa java.png

This software hasn't been updated in almost two years, but I'm looking for as many good reasons to keep using it as possible .(y)
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,125
Outlook prevents access to email attachments with .jar extension.
Microsoft implemented that in it's blacklist last year. Google does the same in Gmail, but don't know about other email services.
  1. Even though it is Java based, the RAT only works on Windows
  2. Even though preparations have been made to overcome this, the current chain still needs a pre-installed JRE
  3. Outlook blocks the email attachment
I expect that the second and third limitation may be removed soon because are already prepared or easily implemented.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,603
...
Sidenote: I also hoped the phraze "is prepared" makes clear that the feature is there but not necessarily used.

Thanks. That makes sense.:)
I was somewhat fixed with the meaning "is prepared" ---> "is ready to use".(y)
The infection chain looks like the attacker used Java dropper to reuse the sample [3] (VBS/Java RAT) which was already prepared to work without preinstalled Java.
 
Last edited:
Top