Two sentences summarizing the content: Cyble analyzes STRRAT version 1.6, which is distributed via a spam email containing a PDF that leads to a ZIP-delivered JavaScript dropper installing STRRAT. The variant adds dual string obfuscation (Zelix KlassMaster and Allatori) to complicate analysis and continues targeting popular browsers and email clients. #STRRAT #ZelixKlassMaster #Allatori #CRIL #Chrome #Outlook
Keypoints
- The new infection technique distributes STRRAT v1.6 via a spam email with a PDF invoice attachment that, when opened, downloads a ZIP containing a malicious JavaScript dropper.
- STRRAT v1.6 uses two string obfuscation tools—Zelix KlassMaster (ZKM) and Allatori—making analysis and detection harder.
- The variant has been actively distributed since March 2023, with multiple infection chains and over 70 samples found in the wild.
- STRRAT continues to target browsers (Chrome, Firefox, IE) and email clients (Outlook, Thunderbird, Foxmail) to steal data.
- Persistence is achieved via a task scheduler entry (name “Skype”), and an encrypted config.txt stores C2 data (Base64 + AES).
- The malware supports extensive C2 commands (e.g., keylogging, credential access, file operations, and data encryption with a .crimson extension) and can exfiltrate via the C2 channel and decrypt/encrypt files for impact.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – “infection initiates through a spam email… contains an attached PDF file” – ‘infection initiates through a spam email… attached PDF file, which is presented as an invoice.’
- [T1204.002] User Execution: Malicious File – “After opening the PDF attachment, a download image is displayed within the PDF. When clicked, it downloads a zip file named “Invo-0728403.zip”’
- [T1059.007] Command and Scripting Interpreter: JavaScript – “JavaScript file” contains the encrypted payload that decrypts STRRAT.
- [T1059.001] PowerShell – “power-shell” (Executing commands using powershell.exe).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “Executing commands using the Windows Command Shell.”
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “task scheduler entry” used for persistence.
- [T1140] Deobfuscate/Decode Files or Information – “two string obfuscation techniques” and subsequent deobfuscation steps.
- [T1027.009] Obfuscated Files or Information: Embedded Payloads – embedded payloads after obfuscation.
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – “Retrieve Chrome credentials” / “Retrieve Outlook credentials” etc.
- [T1056.001] Input Capture: Keylogging – “Keylogger” functionality and related commands.
- [T1418] Software Discovery – discovery steps to identify software environment.
- [T1041] Exfiltration Over C2 Channel – data exfiltration via the C2 channel.
- [T1486] Data Encrypted for Impact – files encrypted with a .crimson extension as part of the attack.
Indicators of Compromise
- [SHA256/SHA1/MD5] Spam email – 3d3cb10a1a9059900ddeb58209edcfa52461806558ebbee422c417c6535aa3a5, 4651326299d02ac07c0b51c0abb7067f24293a65, 9af7e66c85e07a1e182fcb024e7048a2
- [SHA256/SHA1/MD5] PDF attachment – c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20, f726bf1b6bc380c02d76d273765c888f6b41f197, 61522d1e3290906215d580b8b59e6341
- [SHA256/SHA1/MD5] JavaScript Dropper – 9714dce49616e48fc4851d05453056939ab08bf140fe9a786616fa914debb4f4, 433b6ac1169a9bd7e0cfe7029954070cc2b4ebdf, 9bc8ac6d3a38357488de33952e929143
- [Domain] C2 server – talibangeneral.dynamic-dns.net
- [URL] C2 server – hxxp://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Read more: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/