Introducing STRRAT and Its .CRIMSON Module
G Data Solutions’ researchers observed that a STRRAT infection began with a spam email. This email arrived with an attachment called “NEW ORDER.jar.” When opened, the attachment revealed a simple dropper that was responsible for retrieving a VBScript, saving it as “bqhoonmpho.vbs” to the home directory and executing it. This string leveraged PowerShell to replace characters in its string. It also downloaded Java Runtime Environment so it could infect machines on which Java was not necessarily installed.
Also in Malware News
- Windows Discord Client Modified by NitroHack: As reported by Bleeping Computer, MalwareHunterTeam found that NitroHack malware capitalized on successful installation by modifying the “%AppData%\\Discord\0.0.306\modules\discord_voice\index.js” file with malicious code. It also attempted to modify the same file in the Discord Canary and Discord Public Test Build (PTB) clients. In so doing, NitroHack established persistence and created a way to send an infected user’s account tokens to the attacker’s own Discord channel every time they attempted to log in. For users of the web client, NitroHack arrived with the ability to steal users’ payment card information. Then, malware attempted to spread to an infected user’s contacts by disguising itself as a link for free service to Discord’s premium Nitro service.
- Unknown Threat Actor Responsible for Developing AcidBox: Palo Alto Networks Unit 42 threat research team revealed it had discovered a sample of AcidBox in February 2019. Researchers analyzed the malware and discovered that it shared certain similarities with Remsec, malware developed by ProjectSauron. Even so, they did not attribute the threat to ProjectSauron and instead reasoned that a new threat actor was responsible for developing the modular AcidBox toolkit. The researchers found that whomever was responsible for AcidBlox had first deployed it in 2017. The malware used a VirtualBox exploit to disable Driver Signature Enforcement in Windows. But, it did so with a newer version of VirtualBox than the publicly known vulnerable version VirtualBox driver VBoxDrv.sys v1.6.2.
How to Defend Against Emails Carrying Malicious Payloads
Security professionals can help to defend their organizations against emails carrying malicious payloads by using employee security awareness training to educate their workforce about the dangers of email attacks. This training program should include the use of simulated phishing exercises to test employees’ familiarity with phishing messages and modules to dissuade employees from sharing too much information online.
Infosec personnel should complement this investment in human controls with technical measures, such as banners that flag emails from external sources, security controls that indicate which email messages are coming from blacklisted domains and rules that disable the ability to launch macros from an email attachment.