Threat actors in Italy continue to see StrRat, a Java-based RAT focused on information theft and remote access. CERT-AGID released a CyberChef-powered decoding recipe to speed analysis of StrRat samples from the last three years. #StrRat #CyberChef #CERT-AGID #Italy
Keypoints
- StrRat is a Remote Access Trojan (RAT) targeting information theft.
- It uses a plugin architecture for enhanced remote access capabilities.
- Keylogging and credential theft functionalities are included.
- A decoding recipe using CyberChef has been created to facilitate the analysis of StrRat samples.
- The recipe is effective for all StrRat samples detected in the last three years.
MITRE Techniques
- [T1003] Credential Dumping – StrRat includes functionalities aimed at credential theft. “StrRat includes functionalities aimed at credential theft.”
- [T1219] Remote Access Tools – StrRat provides complete remote access to attackers. “StrRat provides complete remote access to attackers.”
- [T1022] Data Encrypted – StrRat encrypts sensitive information within the config.txt file. “StrRat encrypts sensitive information within the config.txt file.”
Indicators of Compromise
- [URL] IoC file – IoCs file download link. https://cert-agid.gov.it/wp-content/uploads/2024/08/StrRat_07-08-2024.json
- [File] config.txt – Key configuration file used by StrRat to store C2, port, and plugin URL data; contains encrypted content