In recent malware news, security researchers discovered a malware strain called “STRRAT” that shipped with the .CRIMSON ransomware module. STRRAT wasn’t the only new malware threat making headlines. Security researchers also uncovered a new threat that modified the Discord client for Windows to steal users’ account credentials along with a new malware family that likely originated from a yet-unknown threat actor.

Introducing STRRAT and Its .CRIMSON Module

G Data Solutions’ researchers observed that a STRRAT infection began with a spam email. This email arrived with an attachment called “NEW ORDER.jar.” When opened, the attachment revealed a simple dropper that was responsible for retrieving a VBScript, saving it as “bqhoonmpho.vbs” to the home directory and executing it. This string leveraged PowerShell to replace characters in its string. It also downloaded Java Runtime Environment so it could infect machines on which Java was not necessarily installed.

Analysis of the Jar payload written by the VBScript to “%APPDATA%\ntfsmgr.jar” revealed a “strpayload” package. Method “f” in class strpayload.r was responsible for building a string with data about the infected system. This string revealed itself to be the new malware threat STRRAT version 1.2.
Following deobfuscation, G Data Solutions’ researchers determined STRRAT was focused on stealing credentials and passwords from browsers and email clients via keylogging. The malware also came with a rudimentary ransomware module that appended “.crimson” to affected files. However, victims of the ransomware module could recover their files by removing the extension from affected file names.

Also in Malware News

  • Windows Discord Client Modified by NitroHack: As reported by Bleeping Computer, MalwareHunterTeam found that NitroHack malware capitalized on successful installation by modifying the “%AppData%\\Discord\0.0.306\modules\discord_voice\index.js” file with malicious code. It also attempted to modify the same file in the Discord Canary and Discord Public Test Build (PTB) clients. In so doing, NitroHack established persistence and created a way to send an infected user’s account tokens to the attacker’s own Discord channel every time they attempted to log in. For users of the web client, NitroHack arrived with the ability to steal users’ payment card information. Then, malware attempted to spread to an infected user’s contacts by disguising itself as a link for free service to Discord’s premium Nitro service.
  • Unknown Threat Actor Responsible for Developing AcidBox: Palo Alto Networks Unit 42 threat research team revealed it had discovered a sample of AcidBox in February 2019. Researchers analyzed the malware and discovered that it shared certain similarities with Remsec, malware developed by ProjectSauron. Even so, they did not attribute the threat to ProjectSauron and instead reasoned that a new threat actor was responsible for developing the modular AcidBox toolkit. The researchers found that whomever was responsible for AcidBlox had first deployed it in 2017. The malware used a VirtualBox exploit to disable Driver Signature Enforcement in Windows. But, it did so with a newer version of VirtualBox than the publicly known vulnerable version VirtualBox driver VBoxDrv.sys v1.6.2.

How to Defend Against Emails Carrying Malicious Payloads

Security professionals can help to defend their organizations against emails carrying malicious payloads by using employee security awareness training to educate their workforce about the dangers of email attacks. This training program should include the use of simulated phishing exercises to test employees’ familiarity with phishing messages and modules to dissuade employees from sharing too much information online.

Infosec personnel should complement this investment in human controls with technical measures, such as banners that flag emails from external sources, security controls that indicate which email messages are coming from blacklisted domains and rules that disable the ability to launch macros from an email attachment.

More from News

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…

Threat Groups Offer $240k Salary to Tech Jobseekers

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism. Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about…