Microsoft Reports Massive Malware Campaign Delivering Fake Ransomware

Microsoft Reports Massive Malware Campaign Delivering Fake Ransomware

Microsoft warns of a massive malware campaign that infects with a Java-based STRRAT remote access trojan (RAT). The malware is known for its data-theft capabilities and faking ransomware attacks.

The Microsoft Security Intelligence team used  Twitter to quickly notify its users about a “massive email campaign.” According to Microsoft, attackers use compromised email accounts to spread fake ransomware.

Attacks start with spam emails that contain what looks like a PDF attachment. In reality, it is an image that upon opening downloaded the RAT.

“The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware,” Microsoft said. “This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.”

STRRAT is a Remote Administration Trojan (RAT) for stealing login credentials saved on browsers and email clients, among other nefarious goals. Malware effectively fakes a ransomware attack by appending extensions to file names while stealing data in the background.

It first came to the scene in June 2020. At the time, G DATA malware analyst Karsten Hahn described the malware explaining how it infects Windows devices, downloads malicious JAR (Java ARchive) packages and finally, the RAT payload after two stages of VBScript scripts.

STRRAT can log keystrokes, executes remote commands, and exfiltrates sensitive information like credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird. Attackers can gain remote access to the compromised machine with the help of an additional open-source RDP Wrapper Library (RDPWrap).

Its unique feature is that the ransomware doesn’t actually encrypt the victims’ files but will appends the “.crimson” extension.

Some victims might still get fooled and succumb to’ ransom demands; in addition:

“This might still work for extortion because such files cannot be opened anymore by double-clicking,” Hahn said. “If the extension is removed, the files can be opened as usual.”

Since Microsoft researchers started analyzing this massive STRRAT campaign last week, its authors have been improving it – added more obfuscation and expanding its modular architecture. But the core functionality stays the same.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.