{"id":3151,"date":"2021-09-06T12:10:09","date_gmt":"2021-09-06T12:10:09","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3151"},"modified":"2026-06-08T23:14:17","modified_gmt":"2026-06-08T23:14:17","slug":"strrat-malware-jre-abuse","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/strrat-malware-jre-abuse\/","title":{"rendered":"STRRAT malware and JRE abuse"},"content":{"rendered":"\n<p style=\"text-align: justify\">The <strong>STRRAT<\/strong> malware is a <strong>Remote Access Tool<\/strong> based on Java that does not require prior installation of the <b>JRE environment<\/b>. Its infection chain includes the download of an archive containing the <strong>Java Runtime Environment<\/strong> for execution of the malicious software.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-strrat\">STRRAT<\/h2>\n\n\n\n<p style=\"text-align: justify\">The <strong>RAT<\/strong> was first identified in a <strong>Malspam<\/strong> campaign in 2020. The distinctive characteristic of this remote access tool lies in the fact that it does not require Java installation on the operating system, as it provisions the download of a <strong>JRE (Java Runtime Environment)<\/strong> and execution of a <strong>Batch<\/strong> script to launch the <strong>RAT<\/strong> in <strong>JAR<\/strong> format.<\/p>\n\n\n\n<p style=\"text-align: justify\">The most recent evidence of the malware dates to August 2021. We identified emails with <strong>Excel<\/strong> attachments containing malicious macros. Once enabled by the user, the macros download a <strong>Zip<\/strong> file containing the <strong>JRE<\/strong>, the RAT in <strong>JAR<\/strong> format, and a <strong>Batch<\/strong> script for malware execution.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/09\/image-2.png\" alt=\"\" class=\"wp-image-3156\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<p style=\"text-align: justify\">The archive contents are extracted to the <strong>C:\\User<\/strong> folder (closely resembling the legitimate <strong>C:\\Users<\/strong> folder).<\/p>\n<p style=\"text-align: justify\">Upon execution, the RAT performs system reconnaissance activities and transmits results to the attacker&#8217;s server. Detection of such post-exploitation behavior requires continuous monitoring; our <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities track command-and-control communications and anomalous process execution patterns associated with Java-based RATs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-indicatori-di-compromissione\">Indicators of Compromise<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sha256\">SHA256<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675<\/li>\n\n\n\n<li>cd6f28682f90302520ca88ce639c42671a73dc3e6656738e20d2558260c02533<\/li>\n\n\n\n<li>f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ip\">IP<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>54.202.26[.]55<\/li>\n\n\n\n<li>105.109.211[.]84<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-domini\">Domains<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>idgerowner.duckdns[.]org<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>STRRAT remote access trojan leveraging Java Runtime Environment for cross-platform persistence: capabilities, distribution patterns and detection considerations.<\/p>\n","protected":false},"author":1,"featured_media":1611,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3329,1657,3327,1659,3328,1439,3330,3326],"class_list":["post-3151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cross-platform-rat","tag-java-it","tag-java-malware","tag-jre-it","tag-jre-abuse","tag-malware-it","tag-remote-access-trojan","tag-strrat"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3151"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3151\/revisions"}],"predecessor-version":[{"id":9917,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3151\/revisions\/9917"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}