According to G DATA, STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.
Older version of the malware came with a rudimentary ransomware module that appends ".crimson" to affected files. The affected files are not encrypted, but simply reamed. If the extension is removed, the files can be opened as usual.
As of at least version 1.5, STRRAT has an implemented encryption routine.
|2021-10-04 ⋅ JPMinty ⋅ |
|2021-09-01 ⋅ InfoSec Handlers Diary Blog ⋅ |
STRRAT: a Java-based RAT that doesn't care if you have Java
|2021-05-20 ⋅ Github (microsoft) ⋅ |
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
|2021-05-20 ⋅ Twitter (@MsftSecIntel) ⋅ |
Tweet on Java-based STRRAT malware campaign distributed via email
|2020-06-16 ⋅ G Data ⋅ |
New Java STRRAT ships with .crimson ransomware module
There is no Yara-Signature yet.