Microsoft warns: the new STRRAT malware spreading via compromised email

Microsoft Security Intelligence discovered malware that poses as ransomware

Microsoft Security discovers an email campaign spreading StrRatA dangerous info-stealing Trojan is delivered via spam emails. Please be cautious

Microsoft has reported[1] that their security intelligence has discovered a dangerous computer infection, called StrRAT, is being distributed in a massive email campaign. The emails are coming from compromised email accounts and contain an attachment that looks like a PDF file.

If the attachment is clicked, it immediately connects to a secret server where the malicious payload file is downloaded from. Microsoft has provided two samples of the infected emails on their Twitter account. Both of them had similarities but were also a lot different. Both messages are meant for a “supplier.”

One states that “your payment has been released as per attached payment advice.” and urges to open the attached file to “verify payment adjustments.” The other one suggests that the attachments contain information about specific outgoing payments.

At the end of both emails, an added disclaimer makes the phishing emails look legitimate. The distributed virus is a notorious Java-based StrRAT malware that has various hazardous traits. Its main goal is to steal credentials, but it could also log keystrokes or take control of the infected device.

StrRAT virus functions as an info-stealer and mimics file encryption

RAT in the StrRAT stands for Remote Administration Tool.[2] That refers to one of the most hazardous traits of this infection. It might seek to take the overall control of the infected device. That could enable the virus developers to do whatever they please with it. Microsoft researchers pointed out that the email campaign delivered an upgraded version of the malware – StrRAT 1.5.

The infection also enables hackers to download additional malware,[3] logging keystrokes and collecting various credentials, including:

  • banking info (bank account logins, credit card details, etc.),
  • social media and email account logins,
  • other saved usernames and passwords on browsers.

The distributed StrRAT also had one more peculiar function. It acted as ransomware – a hazardous infection that locks private data and demands a ransom to regain access to it. As soon as the malware landed on a device, it renamed personal files by adding the .crimson extension. Researchers noted:[4]

As part of the infection process, the malware adds a .crimson file name extension to files in an attempt to make the attack look like ransomware – although no files are actually encrypted.

Although the data wasn't encrypted, users might think so because double-clicking the renamed file won't open it. If StrRAT infected your computer, please rest assured that there's nothing wrong with the files. All you have to do to access them once again is to remove the appended extension through the Rename function.

Watch out for phishing emails as the campaign might still be at large

The email campaign delivering dangerous malware could still be very operational. That's why we feel obligated to inform our readers what to look out for. Microsoft has released[5] a list of domains that are known to be associated with the cyberattack. If you spot emails with any of the below-mentioned domains, please delete them immediately:

  • metroscaffingltg.co.uk,
  • pg-finacesolutions.co.uk,
  • jpfletcherconsultancy.co.uk,
  • buildersworlinc.co.uk,
  • bentlyconstbuild.co.uk,
  • alfredoscafeltd.co.uk,
  • zincocorporation.co.uk,
  • playerscircleinc.co.uk,
  • tg-cranedinc.co.uk,
  • adamridley.co.uk,
  • westcoasttrustedtaxis.co.uk,
  • sivospremiumclub.co.uk,
  • gossyexperience.co.uk,
  • jeffersonsandc.co.uk,
  • fillinaresortsltd.co.uk,
  • tk-consultancyltd.co.uk.

Although Microsoft Defender is a great security tool, we advise acquiring at least one more professional anti-malware software to keep your computers safe. These email campaigns aren't isolated incidents. Threat actors could spread malware in various ways, and reliable AV software is your frontline defense.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions

References
Files
Software
Compare