This massive phishing campaign delivers password-stealing malware disguised as ransomware

Java-based STRRAT malware creates a backdoor into infected machines - but distracts victims by acting like ransomware.
Written by Danny Palmer, Senior Writer on

A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords and other information from victims.

Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts to distribute messages claiming to be related to payments, alongside an image posing as a PDF attachment that looks like it has information about the supposed transfer.

When the user opens this file, they're connected to a malicious domain that downloads STRRAT malware onto the machine.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The updated version of the malware is what researchers describe as "notably more obfuscated and modular than previous versions", but it retains the same backdoor functions, including the ability to collect passwords, log keystrokes, run remote commands and PowerShell, and more – ultimately giving the attacker full control over the infected machine.

As part of the infection process, the malware adds a .crimson file name extension to files in an attempt to make the attack look like ransomware – although no files are actually encrypted.

This could be an attempt to distract the victim and hide the fact that the PC has actually been compromised with a remote access trojan – a highly stealthy form of malware, as opposed to a much more overt ransomware attack.

It's likely that this spam campaign – or similar phishing campaigns – is still active as cyber criminals continue attempts to distribute STRRAT malware to more victims.

Given how the malware is able to gain access to usernames and passwords, it's possible that anyone who's system becomes infected could see their email account abused by attackers in an effort to further spread STRRAT with new phishing emails.

SEE: Ransomware just got very real. And it's likely to get worse

However, as the malware campaign relies on phishing emails, there are steps that can be taken to avoid becoming a new victim of the attack. These include being wary of unexpected or unusual messages – particularly those that appear to offer a financial incentive – as well as taking caution when it comes to opening emails and attachments being delivered from strange or unknown email addresses.

Using antivirus software to detect and identify threats can also help prevent malicious emails from landing in inboxes in the first place, removing the risk of someone opening the message and clicking the malicious link.


Editorial standards