In recent malware news, security researchers discovered a malware strain called “STRRAT” that shipped with the .CRIMSON ransomware module. STRRAT wasn’t the only new malware threat making headlines. Security researchers also uncovered a new threat that modified the Discord client for Windows to steal users’ account credentials along with a new malware family that likely originated from a yet-unknown threat actor.
Introducing STRRAT and Its .CRIMSON Module
G Data Solutions’ researchers observed that a STRRAT infection began with a spam email. This email arrived with an attachment called “NEW ORDER.jar.” When opened, the attachment revealed a simple dropper that was responsible for retrieving a VBScript, saving it as “bqhoonmpho.vbs” to the home directory and executing it. This string leveraged PowerShell to replace characters in its string. It also downloaded Java Runtime Environment so it could infect machines on which Java was not necessarily installed.
Analysis of the Jar payload written by the VBScript to “%APPDATA%\ntfsmgr.jar” revealed a “strpayload” package. Method “f” in class strpayload.r was responsible for building a string with data about the infected system. This string revealed itself to be the new malware threat STRRAT version 1.2.
Following deobfuscation, G Data Solutions’ researchers determined STRRAT was focused on stealing credentials and passwords from browsers and email clients via keylogging. The malware also came with a rudimentary ransomware module that appended “.crimson” to affected files. However, victims of the
ransomware module could recover their files by removing the extension from affected file names.
Also in Malware News
- Windows Discord Client Modified by NitroHack: As reported by Bleeping Computer, MalwareHunterTeam found that NitroHack malware capitalized on successful installation by modifying the “%AppData%\\Discord\0.0.306\modules\discord_voice\index.js” file with malicious code. It also attempted to modify the same file in the Discord Canary and Discord Public Test Build (PTB) clients. In so doing, NitroHack established persistence and created a way to send an infected user’s account tokens to the attacker’s own Discord channel every time they attempted to log in. For users of the web client, NitroHack arrived with the ability to steal users’ payment card information. Then, malware attempted to spread to an infected user’s contacts by disguising itself as a link for free service to Discord’s premium Nitro service.
- Unknown Threat Actor Responsible for Developing AcidBox: Palo Alto Networks Unit 42 threat research team revealed it had discovered a sample of AcidBox in February 2019. Researchers analyzed the malware and discovered that it shared certain similarities with Remsec, malware developed by ProjectSauron. Even so, they did not attribute the threat to ProjectSauron and instead reasoned that a new threat actor was responsible for developing the modular AcidBox toolkit. The researchers found that whomever was responsible for AcidBlox had first deployed it in 2017. The malware used a VirtualBox exploit to disable Driver Signature Enforcement in Windows. But, it did so with a newer version of VirtualBox than the publicly known vulnerable version VirtualBox driver VBoxDrv.sys v1.6.2.
How to Defend Against Emails Carrying Malicious Payloads
Security professionals can help to defend their organizations against emails carrying malicious payloads by using employee security awareness training to educate their workforce about the dangers of email attacks. This training program should include the use of simulated phishing exercises to test employees’ familiarity with phishing messages and modules to dissuade employees from sharing too much information online.
Infosec personnel should complement this investment in human controls with technical measures, such as banners that flag emails from external sources, security controls that indicate which email messages are coming from blacklisted domains and rules that disable the ability to launch macros from an email attachment.