Cyble – STRRAT’s Latest Version Incorporates Dual Obfuscation Layers

Key Takeaways

• The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.
• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.
• STRRAT version 1.6 has evolved from its previous variants and has been actively distributed since March 2023. It has been detected in the wild using various infection chains.
• The malware retains its key functionalities, which include targeting popular web browsers like Chrome, Firefox, and Internet Explorer, as well as widely used email clients such as Outlook, Thunderbird, and Foxmail.

Overview

In 2020, STRRAT, a Java-based Remote Access Trojan (RAT), emerged with a diverse set of functionalities, enabling activities like keylogging and pilfering credentials from browsers and email clients. Additionally, it has been detected incorporating a “Crimson” Ransomware module. Over time, since its initial discovery, STRRAT has continuously evolved and employed various infection chains.

Cyble Research And Intelligence Labs (CRIL) recently identified a new infection technique used to distribute STRRAT. This new method involves the distribution of STRRAT version 1.6, which utilizes two string obfuscation techniques. Detailed information about these techniques can be found in the technical analysis section.

The figure below shows the infection flow:

Figure 1 – STRRAT Infection chain.png

Initial Infection

The infection initiates through a spam email sent to the target, which pretends to come from an electronic-based company. The email contains an attached PDF file, which is presented as an invoice.

Figure 2 – Spam email with a PDF attachment

After opening the PDF attachment, a download image is displayed within the PDF. When clicked, it downloads a zip file named “Invo-0728403.zip” from the URL hxxps://tatchumbemerchants[.]co.ke/Invo-0728403[.]zip.

Figure 3 – Malicious PDF attachment

Inside the downloaded Zip file, there is a JavaScript file that contains the encrypted payload of STRRAT.

Figure 4 – Zip contains Javascript file

Figure 5 – JavaScript file

When executed, the Javascript file decrypts the payload within it and drops the file “lypbtrtr.txt” into the “AppDataRoaming” directory.

Figure 6 – JavaScript drops a file with .txt extension.

Upon checking the file type, it becomes evident that the one with the “.txt” extension is, in fact, a disguised zip (JAR) file. After extracting its contents, a folder named “carLambo” and META-INF is revealed, containing classes, resources, and a MANIFEST.MF file. The presence of the “carLambo” package name indicates that the file is the STRRAT malware.

Figure 7 – JAR file content

Technical Analysis

In our analysis of STRRAT, we discovered that the class names had undergone modifications, unlike the previous variant, where all the class names were gibberish. Furthermore, we observed that STRRAT currently utilizes two string obfuscators, namely “Allatori” and “Zelix KlassMaster (ZKM).” The previous variants were observed using only the “Allatori” obfuscator.

Figure 8 – JAR file with obfuscated classes

As shown in Figure 8, there are two methods for string deobfuscation. First, the string deobfuscation will be executed for “Zelix KlassMaster”.
The figure below shows the code after ZKM deobfuscation.

Figure 9 – ZKM deobfuscated code

After completing the ZKM deobfuscation process, the next step involves deobfuscating the strings against the Allatori obfuscator.

The figure below illustrates the JAR file containing the now-readable strings.

Figure 10 – Code after Allatori obfuscator

Upon analyzing the deobfuscated JAR file, we came across the “ad.class” file, which points to the presence of a new version of the STRRAT malware (version 1.6). This variant has been actively distributed since March 2023 and disseminated through various infection chains. Over 70 samples of this particular version have been identified in the wild.

Figure 11 – Strings in the file indicate the new version of STRRAT

Persistence mechanism:

To maintain persistence, the RAT creates a task scheduler entry using the name “Skype,” as shown below.

Figure 12 – Creates a task scheduler

Similar to previous versions of STRRAT, version 1.6 also utilizes an encrypted config.txt file to store the Command and Control (C&C) server information. The config.txt file is encoded with Base64 and encrypted using AES encryption.

Figure 13 – Fetched C&C data from config.txt file

The decrypted strings from the config.txt file are shown below:

Figure 14 – Decrypted strings from config.txt file

Our analysis showed that STRRAT version 1.6 retains the same functionalities as its previous versions. It continues to target popular web browsers like Chrome, Firefox, and Internet Explorer, along with widely used email clients such as Outlook, Thunderbird, and Foxmail. It steals sensitive information from the victim’s machine.

Figure 15 – STRRAT targeting browsers and email clients

C&C communication:

Once STRRAT connects to the C&C server, it can execute the below commands:

Conclusion

The analysis of the STRRAT malware, particularly version 1.6, reveals the continuous evolution and sophistication of this Java-based Remote Access Trojan. Since its emergence in 2020, STRRAT has undergone significant modifications, making it a persistent threat to cybersecurity.

The distribution of STRRAT through spam emails, disguising the payload inside a JavaScript file downloaded via a PDF attachment, showcases the Threat Actor’s (TA’s) efforts to conceal its presence and evade detection. The integration of two string obfuscation techniques, “Zelix KlassMaster” and “Allatori,” further complicates the analysis process and demonstrates the threat actor’s dedication to improving the malware’s evasion capabilities.

The presence of over 70 samples of STRRAT version 1.6 in the wild indicates an active and ongoing campaign by the TA, underlining the urgency for organizations to remain vigilant against this threat.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
• Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.
• Deploy robust endpoint security solutions that include antivirus, anti-malware, and anti-ransomware software. Keep these security tools up-to-date to ensure protection against the latest threats.
• Utilize URL filtering mechanisms to block access to known malicious websites and domains. This can prevent users from inadvertently downloading malware from malicious URLs.
• Conduct regular cybersecurity training sessions for employees, educating them about the latest threats, phishing techniques, and the importance of being cautious with email attachments and links. Make them aware of the risks of downloading and executing files from unknown sources.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

ET Rules

2030358 — ET MALWARE STRRAT CnC Checkin

2030359 — ET MALWARE STRRAT Initial HTTP Activity

2030360 — ET MALWARE STRRAT Requesting License Check

2044912 — ET DELETED Hash – STRRAT (ja3)

YARA Rules

rule strrat_javascript_dropper
{
meta:
author = “Cyble”
description = “Detects STRRAT Javascript Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample = “c9380f51f0dd7167f833669eda3063a1a8f34cc3e2d536f29153952772dc8b20”

strings:
$a = “tcejbOetaerC”
$b = “noitisoP”
$c = “teSrahC”
$d = “txeTdaeR”
$e = “sH1n3k0”

condition:
($a or $b or $c or $d) and $e
}

rule strrat
{

meta:
author = “Cyble”
description = “Detects STRRAT jar Files”
date = “2023-08-04”
os = “Windows”
threat_name = “strrat”
severity = 100
reference_sample = “9714dce49616e48fc4851d05453056939ab08bf140fe9a786616fa914debb4f4”

strings:
$a = “carLambo/WinGDI.class”
$b = “carLambo/FirstRun.class”
$c = “carLambo/resources/config.txt”

condition:
uint16(0) == 0x4b50 and all of them
}

Detection Guidance

Create a rule that blocks the execution of the “javaw.exe” process if it originates from “Wscript.exe.” Additionally, the rule should target cases where the command line parameter of “javaw.exe” is directed to the “%appdata%” path and the file extension being executed is “.txt”.

Related

Source: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/