In the latest malware developments, Microsoft has newly alerted that a big email campaign is spreading STRRAT malware that is extorting sensitive data by masquerading as a ransomware attack.

Microsoft on the STRRAT malware:

The Microsoft Security Intelligence had tweeted about the recent malware developments, stating that the Java-based STRRAT is notorious for its “ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them”.

According to Microsoft, the attack is initiated using spam emails forwarded from compromised accounts.

These emails come with the “Outgoing Payments” subject line, and subsequently, prompting users to open malicious PDF documents.

Also read,

These PDFs claim to be transaction details, but in actuality, connect to a rogue domain to download the STRRAT malware.

The STRRAT then connects to a C2 (command-and-control) and initiates its malware operations.

The analytical malicious features described by Microsoft of the malware include collecting browser passwords, log keystrokes, and run remote commands and PowerShell scripts.

Previous Detections:

The malware was primarily detected back in June 2020, when security firm G Data reported the Windows malware in malicious phishing emails consisting of Java Archive attachments.

G data has provided that STRRAT  specializes in stealing credentials of browsers and email clients, and passwords via keylogging, while being supported by browsers and email clients such as Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Security experts describe the malware’s capabilities as rudimentary at best. The encryption phase-only renames suffixing the .crimson extension. If the extension is removed, the files can be accessed normally.

Microsoft is also of the opinion that the malicious entities operating STRRAT are incessantly improving and weaponizing the malware, attributing to their analysis that version 1.5 is more modular and advanced than previous versions.

But the fact that the bogus encryption behavior remains unchanged signals that the group may be aiming to make quick money off unsuspecting users by means of extortion.