If you are one of the people who don’t bother to open the PDFs sent over email, Caution! Unknown Email PDFs Shouldn’t Be Opened It could be infected with new malware and steal your password. Open PDF attachments to emails only if you are certain of their origin and sender.
Microsoft’s Security Intelligence team has found what appears to be a Trojan malware attack as part of a “massive” email campaign with a horrible payload — malicious PDFs that download the Java-based remote access Trojan StrRAT.
The latest version of the Java-based STRRAT malware (1.5) was seen being distributed in a massive email campaign last week. This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them. pic.twitter.com/mGow2sJupN— Microsoft Security Intelligence (@MsftSecIntel) May 19, 2021
What is StrRAT?
Threatpost provide details about StrRat in their article. According to MSI researchers who documented the malware’s features in docs released to GitHub, StrRAT is a Java-based remote access tool that steals browser credentials, records keystrokes, and takes remote control of affected systems all of which are classic RAT behaviors.
The RAT also includes a module that, in response to a command-and-control (C2) server order, uploads an additional payload onto the infected machine, according to the researchers.
StrRAT also has a feature that is unique to this class of malware: “a ransomware encryption/decryption module” that modifies file names to indicate that encryption is the next stage.
How attack happens?
Threatpost provides an excellent explanation of the malware’s actions, pointing out that the campaign begins with attackers compromising email accounts and sending out a number of various types of emails, clearly hoping that at least one of them reaches their targeted victim. Some of the emails, for example, contain the subject line “Outgoing Payments,” which may appear innocuous to someone working at a small firm. Others claim to be the work of the “Accounts Payable Department.”
According to Threatpost, “the attempt comprises of multiple emails that all use social engineering to entice recipients to click on an attached file that appears to be a PDF but includes dangerous code.”
“One email informs the recipient that there is a ‘Outgoing Payment’ with a specific reference number — most likely the attached PDF. Another message is sent to a ‘Supplier,’ and appears to inform the recipient that “your payment has been released as per the attached payment advice,” and asks the receiver to “check the alterations made in the attached PDF.”
The malware’s delivery technique, phishing emails, may be a weakness because it requires the user to take action to launch the assault.
How to avoid being a victim of a StrRAT attack?
Treat unexpected email communications and out-of-the-blue messages with the skepticism they deserve, especially if they include money, an incentive, or a request for action.
Microsoft, claims that its Microsoft 365 Defender can defend against StrRAT and that its machine learning-based protection can detect and stop malware on computer systems.