Microsoft Warns of Information Stealing Malware That Pretends to Be Ransomware

ransomware malware

Microsoft on Thursday warned of a “huge electronic mail marketing campaign” that is pushing a Java-based STRRAT malware to steal confidential information from contaminated techniques whereas disguising itself as a ransomware an infection.

“This RAT is notorious for its ransomware-like habits of appending the file identify extension .crimson to information with out really encrypting them,” the Microsoft Safety Intelligence crew said in a sequence of tweets.

The brand new wave of assaults, which the corporate noticed final week, commences with spam emails despatched from compromised electronic mail accounts with “Outgoing Funds” within the topic line, luring the recipients into opening malicious PDF paperwork that declare to be remittances, however in actuality, hook up with a rogue area to obtain the STRRAT malware.

password auditor

Apart from establishing connections to a command-and-control server throughout execution, the malware comes with a spread of options that enable it to gather browser passwords, log keystrokes, and run distant instructions and PowerShell scripts.

STRRAT first emerged within the menace panorama in June 2020, with German cybersecurity agency G Information observing the Home windows malware (model 1.2) in phishing emails containing malicious Jar (or Java Archive) attachments.

“The RAT has a give attention to stealing credentials of browsers and electronic mail shoppers, and passwords by way of keylogging,” G Information malware analyst Karsten Hahn detailed. “It helps the next browsers and electronic mail shoppers: Firefox, Web Explorer, Chrome, Foxmail, Outlook, Thunderbird.”

Its ransomware capabilities are at finest rudimentary in that the “encryption” stage solely renames information by suffixing the “.crimson” extension. “If the extension is eliminated, the information could be opened as standard,” Kahn added.

Microsoft additionally notes that model 1.5 is extra obfuscated and modular than earlier variations, suggesting that the attackers behind the operation are actively working to improvise their toolset. However the truth that the bogus encryption habits stays unchanged alerts that the group could also be aiming to make fast cash off unsuspecting customers by the use of extortion.

The symptoms of compromise (IoCs) related to the marketing campaign could be accessed by way of GitHub here.

Source link