Malware Analysis New Java STRRAT ships with .crimson ransomware module

struppigel

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
@upnorth shared a sample here that was the basis for this article. Enjoy :)

This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed.

Java is not commonly used for malware anymore and its runtime environment is not installed on as many systems as it was in the past. The more it seems surprising when new Java based malware families arise.
I am an active member of the forum malwaretips.com. A member of this forum, upnorth, shared a sample[2] to be used for testing Antivirus products. This sample[2] caught my attention. It was a Java archive but described as WSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong. This sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).
Click to expand...

JavaRAT_infectionchain2.png
 
  • Like
  • +Reputation
  • Thanks
Reactions: amico81, bribon77, Der.Reisende and 10 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I apologize for possibly intruding. But seeing as this malware invokes Java, I'm asking whether OSArmor with at least these settings enabled would inhibit at least part--if not all--of this malware. I've seen a couple of instances where OSA announced it had blocked a process but the application opened anyway.

osa java.png

This software hasn't been updated in almost two years, but I'm looking for as many good reasons to keep using it as possible .(y)
 
  • Like
Reactions: amico81, bribon77, Der.Reisende and 8 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Outlook prevents access to email attachments with .jar extension.
Click to expand...
Microsoft implemented that in it's blacklist last year. Google does the same in Gmail, but don't know about other email services.
threatpost.com

Microsoft Blacklists Dozens of New File Extensions in Outlook

In total, Microsoft has now blocked 142 file extensions that it deems as at risk or that are typically sent as malicious attachments in emails.
threatpost.com threatpost.com
  1. Even though it is Java based, the RAT only works on Windows
  2. Even though preparations have been made to overcome this, the current chain still needs a pre-installed JRE
  3. Outlook blocks the email attachment
I expect that the second and third limitation may be removed soon because are already prepared or easily implemented.
Click to expand...
www.gdatasoftware.com

New Java STRRAT ships with .crimson ransomware module

This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed.
www.gdatasoftware.com www.gdatasoftware.com
 
  • Like
  • Thanks
  • +Reputation
Reactions: bribon77, Der.Reisende, silversurfer and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
struppigel said:
This sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).



View attachment 242866
Click to expand...
This infection chain requires preinstalled Java. You probably have thought about the infection chain without "NEW ORDER.jar"?
 
  • Like
Reactions: bribon77, simmerskool, Der.Reisende and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
struppigel said:
...
Sidenote: I also hoped the phraze "is prepared" makes clear that the feature is there but not necessarily used.
Click to expand...

Thanks. That makes sense.:)
I was somewhat fixed with the meaning "is prepared" ---> "is ready to use".(y)
The infection chain looks like the attacker used Java dropper to reuse the sample [3] (VBS/Java RAT) which was already prepared to work without preinstalled Java.
 
Last edited:
  • Like
Reactions: bribon77, Protomartyr, simmerskool and 5 others

Similar threads

vtqhtr413
    • +Reputation
    • Like
    • Applause
Malware News New Vcurms Malware Targets Popular Browsers for Data Theft
Replies
0
Views
762
Security News
vtqhtr413
vtqhtr413
silversurfer
    • Like
    • +Reputation
RAT malware campaign tries to evade detection using polyglot files
Replies
0
Views
488
News Archive
silversurfer
silversurfer
Anthony Qian
    • +Reputation
    • Like
    • Thanks
New Update Avira expands its APC to support script malware
Replies
4
Views
1,265
Avira
Anthony Qian
Anthony Qian

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top