STR RAT is a Java-based remote access Trojan first seen in 2020 that gives attackers full control upon installation. It can log keystrokes, steal credentials from major browsers and email clients, and deliver additional payloads, with annual version updates. #STRRAT #Maersk
Keypoints
- STR RAT is a Java-based remote access trojan that gives threat actors full control when installed.
- It can steal passwords saved in Chrome, Firefox, Internet Explorer, and targets Outlook, Thunderbird, and Foxmail for credentials.
- The malware supports keylogging, backdoor access, and delivery of additional malicious payloads.
- Version updates occur yearly; about 60% of analyzed STR RAT samples from Jan 2023 to Apr 2024 were delivered directly via email.
- Delivery relies on attachments (largest share), loaders, embedded URLs in PDFs, and droppers, often hosted on legitimate services like GitHub and AWS.
- Since 2023, STR RAT has used obfuscation tools (Zelix KlassMaster, Allatori) and AES-encrypted configs with a passphrase like “strigoi.”
MITRE Techniques
- [T1566.001] Phishing – The lion’s share is attaching STR RAT to phishing emails; ‘The lion’s share is just attaching STR RAT to the phishing email.’
- [T1555.003] Credentials in Web Browsers – It can steal passwords saved in Chrome, Firefox, and Internet Explorer; ‘It can steal passwords saved in Chrome, Firefox, and Internet Explorer.’
- [T1056.001] Keylogging – STR RAT includes a keylogger component; ‘Key commands include o-keylogger, which creates a text file containing all subsequent text typed out.’
- [T1021] Remote Services – Attacker can remotely control the machine via remote-screen; ‘remote-screen for the attacker to commandeer the computer.’
- [T1071.001] Web Protocols – C2 communications occur over HTTP rather than standard ports; ‘HTTP is used for C2 communications, though the port is not the standard tcp/80.’
- [T1583] Acquire Infrastructure – Threat actors host/deliver STR RAT via GitHub and AWS; ‘threat actors also use GitHub and AWS to host and deliver STR RAT.’
- [T1027] Obfuscated/Compressed Files and Information – STR RAT uses obfuscation tools to hinder analysis; ‘obfuscated the source code and made it harder for cybersecurity professionals to analyze the malware.’
- [T1547.001] Registry Run Keys / Startup Folder – Persistence via registry Run Keys or Startup Folder; ‘Whether by Registry Run Keys / Startup Folder … the malware will run every time the user logs in.’
- [T1053] Scheduled Task/Job – Persistence via Scheduled Tasks/Jobs; ‘or a Scheduled Task/Job, the malware will run every time the user logs in as well as at set time intervals.’
Indicators of Compromise
- [Domain] jbfrost[.]live – C2 domain associated with STR RAT; ‘the C2 server, port, and a domain associated with STR RAT, jbfrost[.]live, can be seen.’
- [Domain] Duck DNS – Dynamic DNS service used to host C2 endpoints; ‘subdomains of free dynamic DNS services, like Duck DNS.’
- [URL] hxxpsrepo1[.]maven[.]org/maven2/net/java/dev/jna/jna/5[.]5[.]0/jna-5[.]5[.]0[.]jar – Maven repository URL hosting a JNA jar used by STR RAT.
- [URL] hxxpsrepo1[.]maven[.]org/maven2/net/java/dev/jna/jna-platform/5[.]5[.]0/jna-platform-5[.]5[.]0[.]jar – Maven repository URL hosting the JNA platform jar.
- [URL] hxxpsrepo1[.]maven[.]org/maven2/org/xerial/sqlite-jdbc/3[.]14[.]2[.]1/sqlite-jdbc-3[.]14[.]2[.]1[.]jar – Maven URL for sqlite-jdbc jar referenced in STR RAT components.
- [URL] hxxgithub[.]com/kristian/system-hook/releases/download/3[.]5/system-hook-3[.]5[.]jar – GitHub-hosted system-hook jar used in STR RAT.
- [URL] hxxpip-api[.]com/json/ – Example endpoint observed in infrastructure/communication workflows.
- [File] 7888lock.file – Persistent lock file in the user profile indicating C2 port; ‘XXXXlock.file where XXXX is the port of the STR RAT C2, like 7888lock.file.’
Read more: https://cofense.com/blog/str-rat-phishing-malware-baseline