LTS Secure Warning: New Java STRRAT Being Delivered Via Spam Mail

Security researchers recently have identified a new strain of malware dubbed “STRRAT”, being shipped with .CRIMSON ransomware module.

 

Technical Details

The malware infection begins with a spam email being delivered to the victim. The email contains an attachment called “NEW ORDER.jar”, which if opened by the user, reveals a dropper responsible for retrieving & executing a VBScript called “bqhoonmpho.vbs”. To replace the characters in the string, PowerShell is being leveraged. Java Runtime Environment is also being downloaded & installed on the machine, to ensure that machine’s even with java not running on them also get infected.

An elementary ransomware module is also bundled with the malware. The module appends “.crimson” to affected files. However, these files can easily be recovered by simply removing the extension from the concerned files.

 

Impact

  • Log user’s keystrokes.
  • File Management.
  • Command Execution.
  • Download additional payloads.
  • Steal sensitive/confidential information like email login credentials, domain passwords & certificates.

 

Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.
LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013