StrRAT malware has the ability to steal credentials from a targeted system and also change file name extension to .crimson but it does not encrypt any data like in a ransomware attack.
In recent malware-related news, Microsoft took to Twitter to warn users against a Java-based StrRAT that essentially portrays it to be fake ransomware while taking control of systems and stealing credentials.
“This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them,” the Microsoft Security Intelligence team said in a series of tweets.
The Java-based remote access tool is spread around through an email campaign that sends spam emails from compromised email accounts while targeting victims through luring subject lines such as “Outgoing Payments.”
Furthermore, the users are incentivized to open malicious PDF documents that claim to be remittances when in reality, they connect to a rogue domain that downloads StrRAT malware on the device.
This new RAT of version 1.5 appears to be more “obfuscated and modular than previous versions”, according to the researchers. Its job is to confuse a computer’s operating system and gain access to browser passwords, keystroke logs, run remote commands and PowerShell scripts.
However, the fact that the bogus encryption behavior remains as it previously was, it appears that the group behind this RAT may be looking towards making quick money off of unsuspecting users by the means of extortion.
Microsoft says its Microsoft 365 Defender delivers “coordinated defense against this threat” and can protect users against malicious emails after they’re detected.
The company’s Security Intelligence Team has also published what it knows on GitHub so others who deal with computer security can identify indicators of malicious behaviors related to StrRAT before they do any damage.