Cyber Security Blogs
Key Takeaways
• The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.
• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.
• STRRAT version 1.6 has evolved from its previous variants and has been actively distributed since March 2023. It has been detected in the wild using various infection chains.
• The malware retains its key functionalities, which include targeting popular web browsers like Chrome, Firefox, and Internet Explorer, as well as widely used email clients such as Outlook, Thunderbird, and Foxmail.
Overview
In 2020, STRRAT, a Java-based Remote Access Trojan (RAT), emerged with a diverse set of functionalities, enabling activities like keylogging and pilfering credentials from browsers and email clients. Additionally, it has been detected incorporating a “Crimson” Ransomware module. Over time, since its initial discovery, STRRAT has continuously evolved and employed various infection chains.
Cyble Research And Intelligence Labs (CRIL) recently identified a new infection technique used to distribute STRRAT. This new method involves the distribution of STRRAT version 1.6, which utilizes two string obfuscation techniques. Detailed information about these techniques can be found in the technical analysis section.
The figure below shows the infection flow:
Figure 1 – STRRAT Infection chain.png
Initial Infection
The infection initiates through a spam email sent to the target, which pretends to come from an electronic-based company. The email contains an attached PDF file, which is presented as an invoice.
Figure 2 – Spam email with a PDF attachment
After opening the PDF attachment, a download image is displayed within the PDF. When clicked, it downloads a zip file named “Invo-0728403.zip” from the URL hxxps://tatchumbemerchants[.]co.ke/Invo-0728403[.]zip.
Figure 3 – Malicious PDF attachment
Inside the downloaded Zip file, there is a JavaScript file that contains the encrypted payload of STRRAT.
Figure 4 – Zip contains Javascript fileFigure 5 – JavaScript file
When executed, the Javascript file decrypts the payload within it and drops the file “lypbtrtr.txt” into the “AppDataRoaming” directory.
Figure 6 – JavaScript drops a file with .txt extension.
Upon checking the file type, it becomes evident that the one with the “.txt” extension is, in fact, a disguised zip (JAR) file. After extracting its contents, a folder named “carLambo” and META-INF is revealed, containing classes, resources, and a MANIFEST.MF file. The presence of the “carLambo” package name indicates that the file is the STRRAT malware.
Figure 7 – JAR file contentTechnical Analysis
In our analysis of STRRAT, we discovered that the class names had undergone modifications, unlike the previous variant, where all the class names were gibberish. Furthermore, we observed that STRRAT currently utilizes two string obfuscators, namely “Allatori” and “Zelix KlassMaster (ZKM).” The previous variants were observed using only the “Allatori” obfuscator.
Figure 8 – JAR file with obfuscated classes
As shown in Figure 8, there are two methods for string deobfuscation. First, the string deobfuscation will be executed for “Zelix KlassMaster”.
The figure below shows the code after ZKM deobfuscation.
Figure 9 – ZKM deobfuscated code
After completing the ZKM deobfuscation process, the next step involves deobfuscating the strings against the Allatori obfuscator.
The figure below illustrates the JAR file containing the now-readable strings.
Figure 10 – Code after Allatori obfuscator
Upon analyzing the deobfuscated JAR file, we came across the “ad.class” file, which points to the presence of a new version of the STRRAT malware (version 1.6). This variant has been actively distributed since March 2023 and disseminated through various infection chains. Over 70 samples of this particular version have been identified in the wild.
Figure 11 – Strings in the file indicate the new version of STRRAT
Persistence mechanism:
To maintain persistence, the RAT creates a task scheduler entry using the name “Skype,” as shown below.
Figure 12 – Creates a task scheduler
Similar to previous versions of STRRAT, version 1.6 also utilizes an encrypted config.txt file to store the Command and Control (C&C) server information. The config.txt file is encoded with Base64 and encrypted using AES encryption.
