This week, the malware StrRat has once again affected the Italian territory. CERT-AGID has therefore returned to study the new sample in order to provide a quick decoding tool for analysts.

It is worth noting that StrRat is a Remote Access Trojan (RAT) written in Java and primarily designed for information theft, also equipped with backdoor functionalities. It uses a plugin architecture to offer complete remote access to attackers and includes features aimed at credential theft, keylogging, and integration of additional plugins.

Since all useful information related to C2, the port, and the URL for downloading plugins is encrypted within the accompanying config.txt file, and the decoding has already been documented, we have created a CyberChef recipe that leverages advanced functions to facilitate and speed up the decoding process.

The concept is simple: the recipe takes a Base64 encoded input, decodes it to hexadecimal, cleans the text by removing whitespace, extracts the key and IV, derives a key using PBKDF2, and finally uses AES to decrypt the remaining data. The entire process is based on a secret key generated from the known password “strigoi”.

Link: CyberChef Recipe

Note: The recipe is effective for all StrRat samples detected in the last 3 years, as they are based on the known password ‘strigoi’. However, if the password were to change, it may be necessary to update the recipe to continue ensuring correct decoding.

Indicators of Compromise

In order to make the details of the analyzed sample public, the following IoCs derived are reported:

Link: Download IoC