The hackers behind STRRAT have adopted a new infection technique to distribute its latest version, 1.6, as highlighted by Cyble Research And Intelligence Labs (CRIL) in their latest blog.
The technique presents a significant challenge for cybersecurity researchers and professionals, commencing with a spam email that includes a malevolent PDF file as an attachment.
Over the last few years, the threat actor behind the STRRAT has poured resources and research into the STRRAT to make it render new tactics and features to hide its presence and stay undetected in the victim systems’.
Version 1.6 of the software extends beyond its predecessors by incorporating two string obfuscation techniques. “This new method involves the distribution of STRRAT version 1.6, which utilizes two string obfuscation techniques”, reads the report by Cyble.
What is the STRRAT, and how does it leverage the new infection technique?
Cyble Research And Intelligence Labs (CRIL) conducted research revealing insights into the distribution of STRRAT version 1.6, which utilizes a novel infection technique.
The method employs a spam email campaign that deceives recipients by posing as a legitimate company. Within the email, an attached PDF file cleverly disguises itself as an invoice.
Upon opening the PDF attachment, a download image within the file triggers the download of a zip file named “Invo-0728403.zip” from a suspicious URL. Inside the downloaded zip, a JavaScript file containing the encrypted payload of STRRAT is found.
Once executed, the JavaScript decrypts the payload and drops the disguised zip (JAR) file named “lypbtrtr.txt” into the “AppDataRoaming” directory.
STRRAT and string obfuscation techniques
One of the notable advancements in STRRAT version 1.6 is the use of dual string obfuscation techniques, namely “Zelix KlassMaster (ZKM)” and “Allatori.”
String obfuscation is a popular technique proprietary software and applications use to protect intellectual property.
This technique is also used by threat actors and hackers who hide malware and other exploits in the target applications.
In both cases, this technique requires a bit manipulation over XOR operations to AES encryption. By leveraging this technique, the hackers behind STRRAT make the process to analyze and detect the malware difficult for security researchers, and even harder for users to detect it in their systems.
The techniques of STRRAT
Moreover, to persist in the victim system, STRRAT creates a task scheduler entry using “Skype”. This persistence mechanism ensures the malware remains active even after the system reboots.
The updated version of STRRAT uses the features and commands from its previous versions, including the ability to target internet browsers like Chrome, Firefox, and Internet Explorer.
With these new features and its classic functionalities, STRRAT can also target multiple email clients, including widely used ones such as Outlook, Thunderbird, and Foxmail.
The malware’s primary goals involve stealing sensitive information through activities like keylogging and credential pilfering from web browsers and email clients.
Over 70 samples of STRRAT version 1.6 in the wild indicate an active and ongoing campaign by threat actors. The continuous evolution of STRRAT, particularly with the introduction of version 1.6, is another instance that showcases the determination of threat actors to refine their tactics and evade detection.
Integrating dual obfuscation methods makes it even more challenging for cybersecurity experts to dissect the malware’s code and understand its full capabilities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.