Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware

Microsoft on Thursday warned of a “huge email marketing campaign” that’s pushing a Java-centered STRRAT malware to steal private data from infected units while disguising itself as a ransomware infection.

“This RAT is notorious for its ransomware-like habits of appending the file name extension .crimson to files without having basically encrypting them,” the Microsoft Safety Intelligence team explained in a series of tweets.

The new wave of attacks, which the company spotted final week, commences with spam emails sent from compromised electronic mail accounts with “Outgoing Payments” in the topic line, luring the recipients into opening malicious PDF documents that claim to be remittances, but in truth, join to a rogue domain to down load the STRRAT malware.

password auditor

Other than creating connections to a command-and-command server throughout execution, the malware comes with a array of capabilities that enable it to obtain browser passwords, log keystrokes, and run remote commands and PowerShell scripts.

STRRAT very first emerged in the danger landscape in June 2020, with German cybersecurity company G Facts observing the Windows malware (edition 1.2) in phishing e-mail containing malicious Jar (or Java Archive) attachments.

“The RAT has a concentrate on stealing qualifications of browsers and e mail clients, and passwords by using keylogging,” G Info malware analyst Karsten Hahn detailed. “It supports the following browsers and e-mail clients: Firefox, World-wide-web Explorer, Chrome, Foxmail, Outlook, Thunderbird.”

Its ransomware capabilities are at very best rudimentary in that the “encryption” stage only renames data files by suffixing the “.crimson” extension. “If the extension is removed, the information can be opened as regular,” Kahn additional.

Microsoft also notes that model 1.5 is extra obfuscated and modular than past variations, suggesting that the attackers powering the operation are actively doing work to improvise their toolset. But the actuality that the bogus encryption conduct continues to be unchanged signals that the team may perhaps be aiming to make brief cash off unsuspecting buyers by usually means of extortion.

The indicators of compromise (IoCs) affiliated with the campaign can be accessed by using GitHub here.

Fibo Quantum