STRRAT malware and JRE abuse
The STRRAT malware is a Remote Access Tool based on Java that does not require prior installation of the JRE environment. Its infection chain includes the download of an archive containing the Java Runtime Environment for execution of the malicious software.
STRRAT
The RAT was first identified in a Malspam campaign in 2020. The distinctive characteristic of this remote access tool lies in the fact that it does not require Java installation on the operating system, as it provisions the download of a JRE (Java Runtime Environment) and execution of a Batch script to launch the RAT in JAR format.
The most recent evidence of the malware dates to August 2021. We identified emails with Excel attachments containing malicious macros. Once enabled by the user, the macros download a Zip file containing the JRE, the RAT in JAR format, and a Batch script for malware execution.
The archive contents are extracted to the C:\User folder (closely resembling the legitimate C:\Users folder).
Upon execution, the RAT performs system reconnaissance activities and transmits results to the attacker’s server. Detection of such post-exploitation behavior requires continuous monitoring; our Managed Detection and Response capabilities track command-and-control communications and anomalous process execution patterns associated with Java-based RATs.
Indicators of Compromise
SHA256
- 685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675
- cd6f28682f90302520ca88ce639c42671a73dc3e6656738e20d2558260c02533
- f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9
IP
- 54.202.26[.]55
- 105.109.211[.]84
Domains
- idgerowner.duckdns[.]org
