STRRAT, a Java-based RAT, has been evolving since 2020, with yearly updates targeting different infection stages. Initially discovered in 2020, it possessed core RAT functionalities like credential theft, keylogging, and backdoor access, along with a fake ransomware module. In 2021, it was observed in phishing campaigns.
2022 saw STRRAT leverage spoofed emails and the polyglot file technique for execution, and by 2023, it would have adopted obfuscation tools to hinder analysis. This year, STRRAT has been uploaded to legitimate platforms for download via email, potentially increasing its spread.
STR RAT is a Java-based RAT that grants attackers remote access to a victim’s machine, which steals credentials from browsers (Chrome, Firefox, and IE) and email clients (Outlook, Thunderbird, and Foxmail) and logs keystrokes.
Attackers can download and execute files, view/control the remote screen, and leverage PowerShell for further malicious actions. Since 2023, STR RAT updates and techniques (polyglot files) have increased its use.
Phishing emails are the most common way to deliver STR RAT (60%), usually as a .jar file attached to the email, containing the Java Runtime Environment (JRE) needed to run STR RAT or the malware can download it from repositories.
Loaders (20%) are another popular delivery method, which are separate programs that download and run the actual STR RAT payload.
Jar downloaders, a type of loader requiring Java, are commonly used, where attackers can update the payload delivered by the Jar Downloader without modifying the initial malware link.
Loaders can also exploit vulnerabilities in Microsoft Office documents (e.g., CVE-2017-11882) or use Windows Registry Files to download STR RAT or another dropper program and potentially gain persistence on the system.
Threat actors are using embedded URLs in emails and PDFs to bypass security and download malware like STR RAT, which often link to legitimate services like AWS or GitHub, masking their malicious intent.
Link shorteners are also employed to further obfuscate the true nature of the download. Droppers, like the JS Dropper, are another tactic, containing both their own code and the final malware, eliminating the need for an online payload.
STR RAT places malicious files, including a lock file, to prevent multiple instances and establish persistence. It then decrypts a configuration file (config.txt) containing C2 server information using a passphrase found in the source code.
According to Cofense, it also downloads legitimate libraries (JNA, SQLite JDBC, system-hook) to its local directory for functionalities like DLL access, database usage, and keylogging.
After execution, it copies itself to user folders, creates a configuration file containing C2 server information, and achieves persistence using registry run keys, startup folders, or scheduled tasks.
It communicates with its C2 server using HTTP over non-standard ports and leverages legitimate services like GitHub and Maven to blend in with regular traffic.
Also Read: