cyble.com
Open in
urlscan Pro
2606:4700:20::ac43:4bbf
Public Scan
Submitted URL: https://d2wc4w04.na1.hubspotlinks.com/Ctc/W+113/d2wc4w04/VVTRD87xWHLtMKDP0YBzwL4W8SvcRS52zgWhN3DlwGW3qn9gW95jsWP6lZ3kSW7l8_JH332p_0W35...
Effective URL: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/?utm_campaign=Daily%20Digest&ut...
Submission: On August 24 via manual from IN — Scanned from DE
Effective URL: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/?utm_campaign=Daily%20Digest&ut...
Submission: On August 24 via manual from IN — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://cyble.com/
<form role="search" method="get" class="search-form" action="https://cyble.com/" data-cb-wrapper="true">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s" tabindex="-1">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="jp-carousel-comment-form" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
The Q2-2023 Ransomware Report is Now Available. Download Now
The Q2-2023 Ransomware Report is Now Available. Download Now
Report an Incident | Get Support
* Home
* ProductsMenu Toggle
* Cyble Vision
* AmIBreached
* Cyble Hawk
* Cyble Odin
* The Cyber Express
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
Talk to Sales
Schedule a Demo
Schedule a Demo
CYBLE IS NOW A SERIES B COMPANY. LEARN MORE
Main Menu
* Home
* ProductsMenu Toggle
* Cyble Vision
* AmIBreached
* Cyble Hawk
* Cyble Odin
* The Cyber Express
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
STRRAT’S LATEST VERSION INCORPORATES DUAL OBFUSCATION LAYERS
August 3, 2023
KEY TAKEAWAYS
• The blog highlights a new infection technique for distributing STRRAT version
1.6. It involves a spam email with a PDF attachment that, when opened, downloads
a zip file containing the malicious JavaScript, which drops STRRAT.
• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix
KlassMaster (ZKM)” and “Allatori”, making it more challenging for security
researchers to analyze and detect the malware.
• STRRAT version 1.6 has evolved from its previous variants and has been
actively distributed since March 2023. It has been detected in the wild using
various infection chains.
• The malware retains its key functionalities, which include targeting popular
web browsers like Chrome, Firefox, and Internet Explorer, as well as widely used
email clients such as Outlook, Thunderbird, and Foxmail.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock this Content
OVERVIEW
In 2020, STRRAT, a Java-based Remote Access Trojan (RAT), emerged with a diverse
set of functionalities, enabling activities like keylogging and pilfering
credentials from browsers and email clients. Additionally, it has been detected
incorporating a “Crimson” Ransomware module. Over time, since its initial
discovery, STRRAT has continuously evolved and employed various infection
chains.
Cyble Research And Intelligence Labs (CRIL) recently identified a new infection
technique used to distribute STRRAT. This new method involves the distribution
of STRRAT version 1.6, which utilizes two string obfuscation techniques.
Detailed information about these techniques can be found in the technical
analysis section.
The figure below shows the infection flow:
Figure 1 – STRRAT Infection chain.png
INITIAL INFECTION
The infection initiates through a spam email sent to the target, which pretends
to come from an electronic-based company. The email contains an attached PDF
file, which is presented as an invoice.
Figure 2 – Spam email with a PDF attachment
After opening the PDF attachment, a download image is displayed within the PDF.
When clicked, it downloads a zip file named “Invo-0728403.zip” from the URL
hxxps://tatchumbemerchants[.]co.ke/Invo-0728403[.]zip.
Figure 3 – Malicious PDF attachment
Inside the downloaded Zip file, there is a JavaScript file that contains the
encrypted payload of STRRAT.
Figure 4 – Zip contains Javascript file Figure 5 – JavaScript file
When executed, the Javascript file decrypts the payload within it and drops the
file “lypbtrtr.txt” into the “\AppData\Roaming” directory.
Figure 6 – JavaScript drops a file with .txt extension.
Upon checking the file type, it becomes evident that the one with the “.txt”
extension is, in fact, a disguised zip (JAR) file. After extracting its
contents, a folder named “carLambo” and META-INF is revealed, containing
classes, resources, and a MANIFEST.MF file. The presence of the “carLambo”
package name indicates that the file is the STRRAT malware.
Figure 7 – JAR file content
TECHNICAL ANALYSIS
In our analysis of STRRAT, we discovered that the class names had undergone
modifications, unlike the previous variant, where all the class names were
gibberish. Furthermore, we observed that STRRAT currently utilizes two string
obfuscators, namely “Allatori” and “Zelix KlassMaster (ZKM).” The previous
variants were observed using only the “Allatori” obfuscator.
Figure 8 – JAR file with obfuscated classes
As shown in Figure 8, there are two methods for string deobfuscation. First, the
string deobfuscation will be executed for “Zelix KlassMaster”.
The figure below shows the code after ZKM deobfuscation.
Figure 9 – ZKM deobfuscated code
After completing the ZKM deobfuscation process, the next step involves
deobfuscating the strings against the Allatori obfuscator.
The figure below illustrates the JAR file containing the now-readable strings.
Figure 10 – Code after Allatori obfuscator
Upon analyzing the deobfuscated JAR file, we came across the “ad.class” file,
which points to the presence of a new version of the STRRAT malware (version
1.6). This variant has been actively distributed since March 2023 and
disseminated through various infection chains. Over 70 samples of this
particular version have been identified in the wild.
Figure 11 – Strings in the file indicate the new version of STRRAT
PERSISTENCE MECHANISM:
To maintain persistence, the RAT creates a task scheduler entry using the name
“Skype,” as shown below.
Figure 12 – Creates a task scheduler
Similar to previous versions of STRRAT, version 1.6 also utilizes an encrypted
config.txt file to store the Command and Control (C&C) server information. The
config.txt file is encoded with Base64 and encrypted using AES encryption.
Figure 13 – Fetched C&C data from config.txt file
The decrypted strings from the config.txt file are shown below:
Figure 14 – Decrypted strings from config.txt file
Our analysis showed that STRRAT version 1.6 retains the same functionalities as
its previous versions. It continues to target popular web browsers like Chrome,
Firefox, and Internet Explorer, along with widely used email clients such as
Outlook, Thunderbird, and Foxmail. It steals sensitive information from the
victim’s machine.
Figure 15 – STRRAT targeting browsers and email clients
C&C COMMUNICATION:
Once STRRAT connects to the C&C server, it can execute the below commands:
Command Description reboot Reboots the system shutdown Shutdowns the system
uninstall Deleting Scheduled task disconnect Disconnects socket connection
down-n-exec Downloads and executes the file update Executes the file received
from the server up-n-exec Executes the file with extension .jar, .js, .vbs, .wsf
remote-cmd Executing commands using cmd.exe power-shell Executing commands using
powershell.exe file-manager Executing commands related to file operations
keylogger Sends Keylog file o-keylogger Starts offline keylogging processes
Interacts with running processes h-browser Creates Strigoi Browser using Firefox
or Chrome startup-list Prepares an autorun list to automatically run during
system startup or user logon. remote-screen Allows remote control of the system
rev-proxy Creates reverse proxy hrdp-new Installs Hidden RDP Installer hrdp-res
Restore hidden RDP sessions chrome-pass Retrieve Chrome credentials foxmail-pass
Retrieve Foxmail credentials outlook-pass Retrieve Outlook credentials fox-pass
Retrieve Firefox credentials tb-pass Retrieve Thunderbird credentials ie-pass
Retrieve Internet Explorer credentials all-pass Retrieve credentials for all
targeted browser and email clients chk-priv Check user privileges req-priv
Attempts to get administrator privileges rw-encrypt Encrypt files and stores
with the “.crimson” extension rw-decrypt Decrypts file show-msg Show ransom
message screen-on Used to keep the screen on
CONCLUSION
The analysis of the STRRAT malware, particularly version 1.6, reveals the
continuous evolution and sophistication of this Java-based Remote Access Trojan.
Since its emergence in 2020, STRRAT has undergone significant modifications,
making it a persistent threat to cybersecurity.
The distribution of STRRAT through spam emails, disguising the payload inside a
JavaScript file downloaded via a PDF attachment, showcases the Threat Actor’s
(TA’s) efforts to conceal its presence and evade detection. The integration of
two string obfuscation techniques, “Zelix KlassMaster” and “Allatori,” further
complicates the analysis process and demonstrates the threat actor’s dedication
to improving the malware’s evasion capabilities.
The presence of over 70 samples of STRRAT version 1.6 in the wild indicates an
active and ongoing campaign by the TA, underlining the urgency for organizations
to remain vigilant against this threat.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
• Implement strong email filtering solutions to detect and block spam emails,
phishing attempts, and malicious attachments.
• Refrain from opening untrusted links and email attachments without verifying
their authenticity.
• Deploy robust endpoint security solutions that include antivirus,
anti-malware, and anti-ransomware software. Keep these security tools up-to-date
to ensure protection against the latest threats.
• Utilize URL filtering mechanisms to block access to known malicious websites
and domains. This can prevent users from inadvertently downloading malware from
malicious URLs.
• Conduct regular cybersecurity training sessions for employees, educating them
about the latest threats, phishing techniques, and the importance of being
cautious with email attachments and links. Make them aware of the risks of
downloading and executing files from unknown sources.
• Monitor the beacon on the network level to block data exfiltration by malware
or TAs.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial Access T1566.001 Phishing:
Spearphishing Attachment Execution T1204.002 User Execution: Malicious File
Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution
T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution
T1053.005 Scheduled Task/Job: Scheduled Task Persistence T1547.001 Boot or Logon
Autostart Execution: Registry Run Keys / Startup Folder Defense Evasion T1140
Deobfuscate/Decode Files or Information Defense Evasion T1027.009 Obfuscated
Files or Information: Embedded Payloads Credential Access T1555.003 Credentials
from Password Stores: Credentials from Web Browsers Collection T1056.001 Input
Capture: Keylogging Discovery T1418 Software Discovery Exfiltration T1041
Exfiltration Over C2 Channel Impact T1486 Data Encrypted for Impact
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator Type Description
3d3cb10a1a9059900ddeb58209edcfa52461806558ebbee422c417c6535aa3a5
4651326299d02ac07c0b51c0abb7067f24293a65
9af7e66c85e07a1e182fcb024e7048a2
SHA256
SHA1
MD5
Spam email 8250d324bbc14e3b3a7abc032b6b55aa0699ff9bc784d6c67fdd381edc3b9e56
8fa3c76f427f73cbfa864c380769825018cf72f5
c7130bf8bca520792f6eff1592a112b2
SHA256
SHA1
MD5
PDF attachment c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20
f726bf1b6bc380c02d76d273765c888f6b41f197
61522d1e3290906215d580b8b59e6341
SHA256
SHA1
MD5
JavaScript Dropper
9714dce49616e48fc4851d05453056939ab08bf140fe9a786616fa914debb4f4
433b6ac1169a9bd7e0cfe7029954070cc2b4ebdf
9bc8ac6d3a38357488de33952e929143
SHA256
SHA1
MD5
STRRAT1.6 talibangeneral[.]dynamic-dns[.]net Domain
C&C server hxxp://jbfrost[.]live/strigoi/server/?hwid=1&lid=m&ht=5 URL
C&C server c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
058c764614c8b0b457852a71ab93b559f81abb9e13b7fc2d6c6a4962881bf062
5536bd8910de7571b6e14b2dd8af6da658f0f702321966d5bef85e9d41f6de21
5536bd8910de7571b6e14b2dd8af6da658f0f702321966d5bef85e9d41f6de21
cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20
b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA256 JavaScript Dropper
ab6f8c51d1f15a18cd23e1ad5a34c82c83746befb7d11cce2860c971be35adaa
d634982709d3ebf1641b1160ed6452fa9e3bf2cc8d28f397e56ca9687b28ec84
a0670c21968e2b1256d72799c22a512e503597ab375d20c49d9ec43428c4c3b2
3a74d083e1c4e30f1eedcb90c842bf1a7e65a979edab40e37885607bd566bee8
569f5f6de156bec90f9b0b0e4e707a702c0fea26ab6a0711e32f4a413995ae7c
176e45016749ec233b8fe1ce32ce2cd47dd5bc8da3663f1c6cf054f6ad58a187
3094952f4e4c826cdfbc7b146212eec6094f5104b4ba0d70d3b2920a263add27
4bf781354d02ca0d67a3a180fd6f0d183c6fba763caa660f986752be8b4bb586
6f7180a451691ee975f516cfc6fb3f0c983bc80aebd1d662a899ff4344e4077e
b364c066e0aa794dd34c7a67ef08e83782c01be225edb5533f3a51f855d5e34
SHA256 STRRAT 1.6
ET RULES
2030358 — ET MALWARE STRRAT CnC Checkin
2030359 — ET MALWARE STRRAT Initial HTTP Activity
2030360 — ET MALWARE STRRAT Requesting License Check
2044912 — ET DELETED Hash – STRRAT (ja3)
YARA RULES
rule strrat_javascript_dropper
{
meta:
author = “Cyble”
description = “Detects STRRAT Javascript Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample =
“c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20”
strings:
$a = “tcejbOetaerC”
$b = “noitisoP”
$c = “teSrahC”
$d = “txeTdaeR”
$e = “sH1n3k0”
condition:
($a or $b or $c or $d) and $e
}
rule strrat
{
meta:
author = “Cyble”
description = “Detects STRRAT jar Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample =
“9714dce49616e48fc4851d05453056939ab08bf140fe9a786616fa914debb4f4”
strings:
$a = “carLambo/WinGDI.class”
$b = “carLambo/FirstRun.class”
$c = “carLambo/resources/config.txt”
condition:
uint16(0) == 0x4b50 and all of them
}
DETECTION GUIDANCE
Create a rule that blocks the execution of the “javaw.exe” process if it
originates from “Wscript.exe.” Additionally, the rule should target cases where
the command line parameter of “javaw.exe” is directed to the “%appdata%” path
and the file extension being executed is “.txt”.
Disclaimer: The provided detection guidance rules are purely illustrative and
should not be directly implemented in a production environment without proper
testing, validation, and consideration of potential impacts on system
performance and security. Always exercise caution when implementing security
rules or policies, and ensure you fully understand the consequences of any
changes made to your system or network.
RELATED
NEW BATLOADER DISSEMINATES RATS AND STEALERS
Cyble analyzes BATLoader - A sophisticated loader being utilized by Threat
Actors to deliver several malware families.
February 2, 2023
In "Malware"
ABEREBOT ON THE RISE: NEW BANKING TROJAN TARGETING USERS THROUGH PHISHING
Cyble Research Labs has discovered a new Android banking Trojan called Aberebot
that targets banking customers of 140+ banks in 18 countries through phishing.
July 30, 2021
In "Banking Trojan"
AMEXTROLL ANDROID BANKING TROJAN SPOTTED IN THE WILD
Cyble analyzes AMEXTROLL, a resurfaced variant of BRATA malware that targets
Android users.
July 21, 2022
In "Banking Trojan"
Post navigation
← Previous Post
Next Post →
RELATED POSTS
DEEP DIVE ANALYSIS – BORAT RAT
32 Comments / Ransomware, Remote Access Trojan, Spyware, Trojan / By cybleinc
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a
combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
Read More »
UNDER THE LENS: EAGLE MONITOR RAT
Malware, Phishing, Remote Access Trojan, Spyware, Trojan / By cybleinc
Cyble looks at the recently resurfaced Eagle Monitor RAT and the new TTPs
encountered in this iteration of the popular RAT.
Read More »
Search for:
RECENT POSTS
* Unveiling the Stealthy Exploitation of Microsoft CMSTP Using Malicious LNK
Files
* LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT
* AgentTesla Malware Targets Users with Malicious Control Panel File
* Utilization of Leaked Ransomware Builders in Tech-Related Scams
* STRRAT’s Latest Version Incorporates Dual Obfuscation Layers
CATEGORIES
* 2020
* 2021
* 2022
* 2023
* Adware
* All
* Android
* Annoucement
* APK Ransomware
* APT
* Banking Trojan
* Banking Trojan
* Clipper
* Cryptocurrency
* Cryptominer
* Cyberattack
* Cybercrime
* Cyberwarfare
* Darkweb
* Data Breach
* Data Leak
* DDOS
* Elasticsearch
* Exploit
* Exploit
* Fake App
* Fraud
* General
* Hacktivism
* ICS/SCADA
* Industrial Control Systems
* Infostealer
* Malware
* OSINT
* Phishing
* Press
* Ransomware
* Red Teaming
* Remote Access Trojan
* Scam
* Spyware
* Stealer
* Tech Scam
* Telecommunications
* Trojan
* Vulnerability
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Press
* Cyble Partner Network (CPN)
* Responsible Disclosure
PRODUCTS
Main Menu
* Cyble Vision
* Cyble Hawk
* AmIBreached
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Dark Web & Deep Web
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Vulnerability Management
* Takedown and Disruption
PRIVACY POLICY
Main Menu
* Cyble Vision
* AmIBreached
© 2023. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences