Threat Research

New STRRAT RAT Phishing Campaign

By James Slaughter | January 20, 2022

Shipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life.

Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails—such as false invoices, changes in shipping delivery, or notices related to a fictitious purchase—to entice recipients into opening malicious attachments and inadvertently downloading malware.

FortiGuard Labs recently came across an example of such an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment.

This blog will detail the deconstruction of the phishing email and its malicious payload.

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Collects sensitive information from the compromised end point
Severity Level: Medium

Examining the phishing email

STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually, it is Java-based and is typically delivered via phishing email to victims.

Like most phishing attacks, previous STRAAT campaigns have used an intermediate dropper (e.g., a malicious Excel macro) attached to the email that downloads the final payload when opened. This sample dispenses with that tactic and instead attaches the final payload directly to the phishing email.

Figure 1. Spoofed email sender and subject

As Figure 1 shows, this sample is clearly not from Maersk Shipping. The threat actors are hoping that recipients do not look too closely. Digging into the email headers further, the full trail of where the email has come from becomes apparent:

Figure 2. Email headers

After departing the sender’s local infrastructure, the message eventually routes through “acalpulps[.]com” before being delivered to the final recipient. This domain was only registered in August 2021, making the domain somewhat suspicious. Additionally, the domain used in the “Reply-To” address, “ftqplc[.]in”, was also recently registered (October 2021), making it also highly suspect.

The email body encourages the recipient to open attachments about a scheduled shipment.

Figure 3. Email body

As of the publish date of this blog, the domain “v[.]al” included in the body of the letter does not resolve. 

Figure 4. Email attachments

Attached directly to the sample email are a PNG image and two Zip archives. “maersk.png” is just an image file, as shown in Figure 4. The two Zip archives, “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip”, however, contain an embedded copy of STRRAT.

Examining the STRRAT attachment

“SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” are identical files, as can be seen through their respective SHA256 hash values.
Figure 5. SHA256 hash of “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip”

Figure 6. SHA256 hash of “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip”

Unzipping one of these archives presents the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar”. However, upon opening the file in Jar Explorer, a few things become immediately apparent.

Figure 7. Initial view of “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” in Jar Explorer

Firstly, a large number of Java class files are part of this package. Secondly, the class “FirstRun” strings appear to be scrambled or encoded. Lines that are appended with “ALLATORIxDEMO” indicate the presence of the Allatori Java Obfuscator.

This can be validated by attempting to execute the jar file.

Figure 8. Splash screen shown when attempting to execute “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar”

Confirming that this has been obfuscated using Allatori helps in the analysis process as open-source tools are available that can roll this back and reveal the actual content inside the jar file. Java Deobfuscator (https://github.com/java-deobfuscator/deobfuscator) works particularly well against Allatori and successfully restores the original string content, as shown below.

Figure 9. The same view of class “FirstRun” now deobfuscated

Independently encoded from the class files in STRRAT is the configuration file (config.txt). On first view, it is base 64 encoded, as shown in Figure 10.

Figure 10. Base 64 encoded “config.txt”

When decoded, the file is unfortunately still scrambled.

Figure 11. “Decoded” configuration file

By searching the code for “config.txt,” we can see that the configuration file was encrypted using AES and uses the passphrase of “strigoi.” Decrypting the config file now becomes possible.

Figure 12. Decrypted configuration file

The final item in the line in Figure 12 was of particular interest, as this sample appeared during the height of the Log4Shell event. Khonsari was the name of a ransomware variant taking advantage of that particular vulnerability. Here, though, the word functions as a software key, and there is no evidence of any link between the two pieces of malware.

Most malware strains have a requirement to maintain persistence across reboots and sessions so they can complete tasks they’ve been set. STRRAT accomplishes this by copying itself into a new directory and then adding entries to the Windows registry to run at system startup.

Figure 13. Code to modify the registry

Figure 14. Modified registry

STRRAT queries the host to determine its architecture and anti-virus capability on startup. It also queries running processes, local storage, and network capability.

In terms of capabilities, STRRAT can log keystrokes and maintain an HTML-based log to store items of interest.

Figure 15. Code to create the keyboard log file

Figure 16. Keyboard log file ready to be populated

STRRAT can also facilitate the remote control of an infected system by dropping HRDP – a remote access tool.

Figure 17. HRDP

Additional capabilities include siphoning passwords from browsers, such as Chrome, Firefox, and Microsoft Edge, and email clients, like Outlook, Thunderbird, and Foxmail.

One of the more curious modules present in STRRAT is its pseudo-ransomware ability.

Figure 18. Pseudo-ransomware module

The code cycles through files in the user’s home directories and appends a file extension of “.crimson” to them. No encryption of the files is undertaken, making this only suitable as a decoy or perhaps as a scare tactic against less savvy users. A ransom note template was not found in the code.

On the network side of things, we see STRRAT looking to reach out and pull down several Java dependencies upon startup.

Figure 19. Java dependencies

As shown in Figure 12, this sample is using IP address 198[.]27.77.242 for C2 (Command and Control). Examining that traffic in Wireshark shows STRRAT being exceptionally noisy. This is likely due to the C2 channel being offline at the time of the investigation. In its effort to obtain further instructions, the sample attempts to communicate over port 1780 and 1788 at one-second intervals, if not more in some instances.

Figure 20. Attempted C2 communication as shown in Wireshark

Figure 12 also shows a URL containing the domain “jbfrost[.]live”. This appears to be part of the C2 infrastructure for the malware but does not appear to be used (at least not at this time). The domain does not resolve currently. 

Conclusion

Threat actors expend an enormous amount of effort to craft campaigns that take advantage of the basic day-to-day operations of companies. This includes the intake of raw materials and the output of finished goods via shipping and transportation networks. Threats of this nature are only set to increase in the coming months and years and organizations need to be on guard for attempts to subvert their operations in this manner.  

This campaign is one such attempt. STRRAT doesn’t garner as much attention as some of the more widely seen trojans in the malware ecosystem, but it is a capable and resilient threat where encountered.

Fortinet Protections and Mitigations

FortiGuard Labs provides the following AV coverage against the files used in this attack:

Java/Agent.X!tr

FortiMail protects Fortinet customers by blocking phishing emails and applying FortiGuard’s Web Filtering, AntiVirus, and CDR (content disarm and reconstruction) technologies.

All network IOCs are blocked by the WebFiltering client.

FortiEDR detects the malicious files based on reputation and behavior.

IOCs

E-mail 

Addresses

shipping@acalpulps.com

exports@ftqplc.in

Trojan

SHA256 Hash

409ad1b62b478477ce945791e15e06b508e5bb156c4981263946cc232df89996 (SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip)

3380d42b418582b6f23cfd749f3f0851d9bffc66b51b338885f8aa7559479054 (SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar)

URL

hXXp://jbfrost[.]live/strigoi/server/?hwid=1&lid=m&ht=5

IP Address

198[.]27.77.242 (C2)

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.