StrRAT, a java based remote access Trojan is being spread using excel files. The primary infection vector is a malicious attachment from targeted email campaigns. Once the attachment is opened and the user enables the macro when the pop up arises, the malicious macro tries to download a file named “esfsdghfrzeqsdffgfrtsfd.zip” from the URL as shown in Fig.1.

We noticed that this excel file was already  submitted to the MalwareBazaar, a malware sample exchange site, and the macro’s contents were found to be deobfuscated and shared by another user  in the comments section.

Figure 1: Macro content after deobfuscation (from MalwareBazaar’s comments section)
Figure 2: The excel creates a powershell process to download the payload zip file

The downloaded zip contains java files and a malicious jar file “i.e x.jar”, which gets executed automatically once downloaded by the “sys.cmd” file.

Figure 3: Contents of zip file and command in “sys.cmd” to execute the x.jar file

We also noticed that the jar file has random class names and a config.txt file which appears to be encrypted. This encryption technique is common across StrRAT variants.  We decrypted the contents using StrRATConfigDecrypt.jar.  Upon decryption, we were able to see the information about its C2 server.

Figure 4: Decrypted config file containing information about the C2 server

We can see that the malicious jar file used the Allatori obfuscation method when executed in a CLI. Also it tries to download other malicious components to aid its function. One of them is system-hook jar, which can be used to spy on keyboard and mouse activities.

Figure 5: x.jar tries to download other components that it needs

We can use the Java deobfuscator to see the actual contents of the file. When used we can see it has two obfuscations done over that jar file.

  1. Superblaubeere
  2. Allatori
Figure 6: Types of obfuscation done 
Figure 7: Successful deobfuscation of the file

When we analyze the x.jar file, it contains several .class files having random meaningless names. In the main.class file where the code usually begins, we can see some dependencies have been mentioned, one such is system-hook-3.5.jar(it helps the malware to record mouse and keyboard activities). There is also a suspicious URL mentioned which could probably be used to call the server and the query part would be constructed  at runtime.

Figure 8: Deobfuscated code

There’s a pastebin link mentioned in the code. When checked it contains the C2 server url.

Figure 9: Pastebin url mentioned in the code
Figure 10: Content stored in the mentioned pastebin link

We can also see a command to create scheduled tasks with the name of “Skype” to attain persistence.

Runtime.getRuntime().exec(String.valueOf((new StringBuilder()).insert(0, “cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr \””).append(str5).append(“\””)));

The jar contains several .class files for various malware functionalities. One such .class file contains several commands such as reboot, shutdown, download, execute, remote powershell etc. This file is larger in size than the other class files in the jar.

Figure 11: Commands that can be executed in a compromised machine

Another interesting ability of this malware is to act like ransomware. It does not encrypt the actual file but appends ‘crimson’ to the file name.

Figure 12: Crimson reference in the code

After getting executed  the x.jar connects to its C2 server and sends information about the host like OS, architecture, AV details, country etc.

Figure 13: The query part of the URL mentioned in the main.class is now constructed
Figure 14: Resolved malicious domains
Figure 15: Infected traffic contains host information

Even if the host doesn’t have Java installed it wouldn’t stall this malware as it comes with a Java package thereby enabling it to do its deed anyway. It steals system information and provides a backdoor for remote access posing a serious threat to victims.

We at K7 have ensured detection for such malware. Use a reputed security product like K7 Total Security and Ensure it is updated to get the latest definitions. Also avoid enabling macros in MS Excel by default.

Indicators of Compromise (IoCs)

Hash: f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9

File name : purchase order-419617892#..xlsb

Detection Name : Trojan ( 0001140e1 )

URLs 

hxxp(:)//54(.)202(.)26(.)55(/)esfsdghfrzeqsdffgfrtsfd(.)zip

hxxp(:)//jbfrost(.)live(/)strigoi(/)server(/)?hwid=1

hxxp(:)//idgerowner(.)duckdns(.)org

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “StrRAT: Java based RAT Vectored by Excel Macros”