Fortinet : New STRRAT RAT Phishing Campaign

Published: 2022-01-20 12:41:19 ET FTNT

Affected Platforms: Windows Impacted Users: Windows users Impact: Collects sensitive information from the compromised end point Severity Level: Medium

Shipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life.

Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails-such as false invoices, changes in shipping delivery, or notices related to a fictitious purchase-to entice recipients into opening malicious attachments and inadvertently downloading malware.

FortiGuard Labs recently came across an example of such an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment.

This blog will detail the deconstruction of the phishing email and its malicious payload.

STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually, it is Java-based and is typically delivered via phishing email to victims.

Like most phishing attacks, previous STRAAT campaigns have used an intermediate dropper (e.g., a malicious Excel macro) attached to the email that downloads the final payload when opened. This sample dispenses with that tactic and instead attaches the final payload directly to the phishing email.

Disclaimer

Fortinet Inc. published this content on 20 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 20 January 2022 17:40:08 UTC.