In recent malware news, security researchers discovered a malware strain called “STRRAT” that shipped with the .CRIMSON ransomware module. STRRAT wasn’t the only new malware threat making headlines. Security researchers also uncovered a new threat that modified the Discord client for Windows to steal users’ account credentials along with a new malware family that likely originated from a yet-unknown threat actor.

Introducing STRRAT and Its .CRIMSON Module

G Data Solutions’ researchers observed that a STRRAT infection began with a spam email. This email arrived with an attachment called “NEW ORDER.jar.” When opened, the attachment revealed a simple dropper that was responsible for retrieving a VBScript, saving it as “bqhoonmpho.vbs” to the home directory and executing it. This string leveraged PowerShell to replace characters in its string. It also downloaded Java Runtime Environment so it could infect machines on which Java was not necessarily installed.

Analysis of the Jar payload written by the VBScript to “%APPDATA%\ntfsmgr.jar” revealed a “strpayload” package. Method “f” in class strpayload.r was responsible for building a string with data about the infected system. This string revealed itself to be the new malware threat STRRAT version 1.2.
Following deobfuscation, G Data Solutions’ researchers determined STRRAT was focused on stealing credentials and passwords from browsers and email clients via keylogging. The malware also came with a rudimentary ransomware module that appended “.crimson” to affected files. However, victims of the ransomware module could recover their files by removing the extension from affected file names.

Also in Malware News

  • Windows Discord Client Modified by NitroHack: As reported by Bleeping Computer, MalwareHunterTeam found that NitroHack malware capitalized on successful installation by modifying the “%AppData%\\Discord\0.0.306\modules\discord_voice\index.js” file with malicious code. It also attempted to modify the same file in the Discord Canary and Discord Public Test Build (PTB) clients. In so doing, NitroHack established persistence and created a way to send an infected user’s account tokens to the attacker’s own Discord channel every time they attempted to log in. For users of the web client, NitroHack arrived with the ability to steal users’ payment card information. Then, malware attempted to spread to an infected user’s contacts by disguising itself as a link for free service to Discord’s premium Nitro service.
  • Unknown Threat Actor Responsible for Developing AcidBox: Palo Alto Networks Unit 42 threat research team revealed it had discovered a sample of AcidBox in February 2019. Researchers analyzed the malware and discovered that it shared certain similarities with Remsec, malware developed by ProjectSauron. Even so, they did not attribute the threat to ProjectSauron and instead reasoned that a new threat actor was responsible for developing the modular AcidBox toolkit. The researchers found that whomever was responsible for AcidBlox had first deployed it in 2017. The malware used a VirtualBox exploit to disable Driver Signature Enforcement in Windows. But, it did so with a newer version of VirtualBox than the publicly known vulnerable version VirtualBox driver VBoxDrv.sys v1.6.2.

How to Defend Against Emails Carrying Malicious Payloads

Security professionals can help to defend their organizations against emails carrying malicious payloads by using employee security awareness training to educate their workforce about the dangers of email attacks. This training program should include the use of simulated phishing exercises to test employees’ familiarity with phishing messages and modules to dissuade employees from sharing too much information online.

Infosec personnel should complement this investment in human controls with technical measures, such as banners that flag emails from external sources, security controls that indicate which email messages are coming from blacklisted domains and rules that disable the ability to launch macros from an email attachment.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…