{"id":6857,"date":"2021-08-18T12:10:55","date_gmt":"2021-08-18T19:10:55","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6857"},"modified":"2024-08-07T12:20:26","modified_gmt":"2024-08-07T19:20:26","slug":"transfer-themed-malspam-drops-strrat","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/transfer-themed-malspam-drops-strrat\/","title":{"rendered":"Transfer-Themed Malspam Drops STRRAT"},"content":{"rendered":"

Author: Nathan Toporek<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 11 August, Infoblox observed an email campaign distributing the STRRAT trojan via weaponized file attachments.<\/p>\n

Customer Impact<\/h3>\n

STRRAT is a Java-based remote access trojan (RAT) that is delivered in malicious email campaigns. Although Java runs on all operating systems, STRRAT is compatible only with Windows hosts. STRRAT can exfiltrate passwords to a command and control server (C&C), run code on infected hosts, enable attackers to control infected hosts directly, and create reverse proxies. In addition, it has a rudimentary ransomware module.1<\/sup><\/p>\n

Campaign Analysis<\/h3>\n

In this campaign, threat actors send victims an email with the subject Re:Transfer Request, no message body, and the file attachment transfer Request form.jar.<\/p>\n

Attack Chain<\/h3>\n

When the victim opens transfer Request form.jar, STRRAT gathers the host’s information, acquires its geolocation, and then sends this information to its C&C. The C&C responds with instruction(s) to run one or more follow-on commands. We observed password exfiltration and remote control; however, there are many more.<\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

This campaign relies on social-engineering tactics to infect computers with STRRAT. Infoblox recommends that users take the following actions to avoid similar infections:<\/p>\n