New STRRAT RAT Phishing Campaign

FortiGuard Labs Threat Research Report

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Collects sensitive information from the compromised end point
Severity Level: Medium

Shipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life.

Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails-such as false invoices, changes in shipping delivery, or notices related to a fictitious purchase-to entice recipients into opening malicious attachments and inadvertently downloading malware.

FortiGuard Labs recently came across an example of such an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment.

This blog will detail the deconstruction of the phishing email and its malicious payload.

Examining the phishing email

STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually, it is Java-based and is typically delivered via phishing email to victims.

Like most phishing attacks, previous STRAAT campaigns have used an intermediate dropper (e.g., a malicious Excel macro) attached to the email that downloads the final payload when opened. This sample dispenses with that tactic and instead attaches the final payload directly to the phishing email.