This blog is a follow-up to the StrRAT discussed before here in K7Labs blog.  A new variant of StrRAT where the initial infection vector seems to be originating from well-known companies to confound unsuspecting users. The threat actors pose in this case pose as Maersk, one of the largest Logistics & Supply Chain Services Companies, and mislead users and to spread their campaign. This is generally a popular technique employed by threat actors.

This StrRAT is a Java based Remote Access Trojan and has various functionalities that leaves the user’s machine vulnerable. Let us now delve into its kill-chain. 

The Trap

From Figure 1, we can see that the email source and the content has been spoofed. The domains of the sender “acalpulps[.]com” and the Reply-to “ftqplc[.]in” addresses were recently registered, viz..Aug 2021 and Oct 2021 respectively.

Figure 1: Phishing email

However, the domain “v[.]al” mentioned in the email does not resolve now.

Unlike previous StrRAT variants that used intermediate vectors (like excel macro) to download the payload, this time the phishing email itself contains the final payload and both the archive files are the same. 

Figure 2: Payload attachment

Execution 

When executed it starts downloading its dependencies. It also copies itself into another directory.

Figure 3: Downloading the dependencies

Persistence is achieved in two ways, one by adding an entry in the run registry key and another by creating a task that triggers its execution after every 30 mins with the name “Skype”, this is hard-coded in the malware.

Figure 4: Registry entry
Figure 5: Task created to achieve persistence

From Figure 6, we can glean that the host is trying to establish a connection to its C2 server but at the time of writing this blog the server was offline.

Figure 6: Host trying to connect to its server

Analysis

Let’s look into the underlying obfuscated code, the extracted zip file contains a jar which is the payload. The classes are named with just single letters, just so that it doesn’t reveal too much about the functionality. After decrypting the config file which is present inside the jar, we can see the information of its C2 server.

Figure 7: Decrypted config file containing information about the C2 server

The licence id contains the name ‘Khonsari’ which is very interesting because its a ransomware family that was delivered using the Log4Shell exploits. But apart from the name mentioned in the config file, there wasn’t any relation identified between the two malware.

The ip address 198[.]27[.]77[.]242 of the C2 server has been submitted multiple times in the AbuseIPDB website.

Figure 8: C2 server ip has been reported 

Last time the jar file had 2 layers of obfuscation i.e. Superblaubeere and Allatori, but this time only one layer of obfuscation was done over the jar file and this can be deobfuscated.

Figure 9: Type of obfuscation
Figure 10: Successful deobfuscation

The below figure shows the deobfuscated code for the Java dependencies that get downloaded when the jar file is executed.

Figure 11: Links of the dependencies mentioned in the code

One of the class files contains many commands that can be executed in the compromised machine.

Figure 12: Commands that can be executed

It also retrieves the windows credentials from the machine as shown in Figure 13.

Figure 13: Code to retrieve windows credentials

It then proceeds to check the user profiles that are available in the machine. The string array shows that it can also infect machines that are having different languages like French, Spanish and German.

Figure 14: Code to check the user profiles

It can also achieve remote control through the HRDP remote access tool. The keystrokes from the machines are monitored using GlobalKeyAdapter class.

Figure 15: Keylogging, HRDP connection, startup list check

It also retrieves data from the host such as architecture, Windows version, antivirus information.

Figure 16: Code to retrieve host information

We at K7 Labs provide detection against latest threats and also for this newer variant of StrRAT. Users are advised to use a reliable security product such as K7 Total Security and keep it up-to-date so as to safeguard their devices 

Indicators of Compromise (IoCs)

Hash : 4d50a1df28610ffdb925d4a5b7bc6c0a

File name : SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.jar

Detection Name : Trojan ( 0001140e1 ) 

C2 Server IP : 198[.]27[.]77[.]242 

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “StrRAT in Disguise”