As originally reported by TheRecord, Microsoft analysts are warning of a recent resurgence of the Java-based backdoor STRRAT. This backdoor was distributed over malspam containing malicious PDF attachments. STRRAT, written in Java, is a typical credential stealer with the addition of a custom shell/PowerShell command execution. Additionally, the rat allows attackers to install RDWrap, an open source RDP session tool. The RAT also renames file extensions on the system to “.crimson” however it doesn’t encrypt the files. Renaming the files fixes the change.
Analyst Notes
As this RAT is spread over PDF attachments in malspam, Binary Defense recommends avoid opening attachments from email addresses that they don’t trust. Additionally, Binary Defense recommends employing a 24/7 SOC monitoring solution, such as Binary Defense’s own Security Operations Task Force.
https://therecord.media/microsoft-warns-of-malware-campaign-spreading-a-rat-masquerading-as-ransomware/
