New Java STRRAT ships with .crimson ransomware module

[harlan4096]

This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed.

Java is not commonly used for malware anymore and its runtime environment is not installed on as many systems as it was in the past. The more it seems surprising when new Java based malware families arise.

I am an active member of the forum MalwareTips.com. A member of this forum, upnorth, shared a sample(2) to be used for testing Antivirus products. This sample(2) caught my attention. It was a Java archive but described as WSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong. This sample(2) is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).

Infection chain overview

The following sections will describe the infection chain in detail. Here is an overview involving initial infection, intermediate files, unpacking layers and hardcoded downloads by the payload. The numbering of files in the image corresponds to numbers in the IOC listing at the bottom of the article.

Infection chain 1: Spam email with malicious Jar attachment

The infection starts with a rather ordinary spam email(1) that has a malicious attachment named NEW ORDER.jar(2).

I found this email via VirusTotal graphs which shows a relationship to our Jar file. It is not clear if the uploader of the email redacted the email body or if the threat actors didn't want to take their time to add any content. It should be noted that Outlook prevents access to email attachments with .jar extension. In this case I applied a registry hack to have it shown anways.

The NEW ORDER.jar(2) is a simple dropper. It retrieves a VBScript(3) from the resources, saves the script as bqhoonmpho.vbs(3) to the home directory of the user and executes it using wscript.exe.
...

Continue Reading