New STRRAT RAT Phishing Campaign | FortiGuard Labs

MITRE Techniques

• [T1566.001] Phishing – The campaign uses shipping-themed emails to entice recipients to open malicious attachments. “Shipping is an indispensable part of modern life… threat actors often use shipping as a lure for phishing emails…”
• [T1204.002] User Execution – The final payload is attached directly to the phishing email, prompting user action to execute.
• [T1027] Obfuscated/Compressed Files and Information – The STRRAT jar contains scrambled/encoded strings and Allatori obfuscation.
• [T1105] Ingress Tool Transfer – STRRAT “pull down several Java dependencies upon startup.”
• [T1082] System Information Discovery – STRRAT “queries the host to determine its architecture and anti-virus capability” and also discovers processes, storage, and network capability.
• [T1056.001] Input Capture – STRRAT can log keystrokes and maintain an HTML-based log.
• [T1112] Modify Registry – STRRAT persists by copying itself and adding Windows registry startup entries.
• [T1219] Remote Access Software – STRRAT can drop HRDP to facilitate remote control of the infected system.
• [T1555.003] Credentials from Web Browsers – STRRAT siphons passwords from Chrome, Firefox, and Edge, plus email clients.
• [T1071.001] Web Protocols – C2 traffic uses a domain/IP (198.27.77.242) and associated URLs/ports for command and control.
• [T1021.001] Remote Services – The use of HRDP indicates remote access software usage for control.
• [T1552] Unsecured Credentials (credential dumping from browsers and clients) – implicit in browser/email credential theft
• [T1486] Data Encrypted for Impact (Pseudo-ransomware) – A pseudo-ransomware module attempts to manipulate files with a “.crimson” extension as a scare tactic.
• [T1071.001] Web Protocols – The C2 URL (jbfrost[.]live) is observed as part of the infrastructure, even if currently unresolved.