{"id":17996,"date":"2022-02-02T10:19:12","date_gmt":"2022-02-02T18:19:12","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11729\/"},"modified":"2022-02-02T10:19:12","modified_gmt":"2022-02-02T18:19:12","slug":"news-11729","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11729\/","title":{"rendered":"New STRRAT RAT Phishing Campaign"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Threat Research Report<\/h2>\n<p><b>Affected Platforms: <\/b>Windows<br \/> <b>Impacted Users<\/b>: Windows users<br \/> <b>Impact:<\/b> Collects sensitive information from the compromised end point<br \/> <b>Severity Level:<\/b> Medium <\/p>\n<p>Shipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life.<\/p>\n<p>Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails\u2014such as false invoices, changes in shipping delivery, or notices related to a fictitious purchase\u2014to entice recipients into opening malicious attachments and inadvertently downloading malware.<\/p>\n<p>FortiGuard Labs recently came across an example of such an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment.<\/p>\n<p>This blog will detail the deconstruction of the phishing email and its malicious payload.<\/p>\n<h3>Examining the phishing email<br \/> <\/h3>\n<p>STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually, it is Java-based and is typically delivered via phishing email to victims.<\/p>\n<p>Like most phishing attacks, previous STRAAT campaigns have used an intermediate dropper (e.g., a malicious Excel macro) attached to the email that downloads the final payload when opened. This sample dispenses with that tactic and instead attaches the final payload directly to the phishing email.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image.img.png\/1642636926977\/img1.png\" alt=\"Figure 1. Spoofed email sender and subject\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Spoofed email sender and subject<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As Figure 1 shows, this sample is clearly not from Maersk Shipping. The threat actors are hoping that recipients do not look too closely. Digging into the email headers further, the full trail of where the email has come from becomes apparent:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_773355679.img.png\/1642636965168\/img2.png\" alt=\"Figure 2. Email headers\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Email headers<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After departing the sender\u2019s local infrastructure, the message eventually routes through \u201cacalpulps[.]com\u201d before being delivered to the final recipient. This domain was only registered in August 2021, making the domain somewhat suspicious. Additionally, the domain used in the \u201cReply-To\u201d address, \u201cftqplc[.]in\u201d, was also recently registered (October 2021), making it also highly suspect.<\/p>\n<p>The email body encourages the recipient to open attachments about a scheduled shipment.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_908942646.img.png\/1642024199504\/img3.png\" alt=\"Figure 3. Email body\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Email body<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As of the publish date of this blog, the domain \u201cv[.]al\u201d included in the body of the letter does not resolve.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_2074016672.img.png\/1642024246455\/img4.png\" alt=\"Figure 4. Email attachments\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Email attachments<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Attached directly to the sample email are a PNG image and two Zip archives. \u201cmaersk.png\u201d is just an image file, as shown in Figure 4. The two Zip archives, \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip\u201d and \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip\u201d, however, contain an embedded copy of STRRAT.<\/p>\n<h3>Examining the STRRAT attachment<\/h3>\n<div>\u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip\u201d and \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip\u201d are identical files, as can be seen through their respective SHA256 hash values.<\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_839780822.img.png\/1642026486989\/img5.png\" alt=\"Figure 5. SHA256 hash of \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. SHA256 hash of \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_473482104.img.png\/1642024383339\/img6.png\" alt=\"Figure 6. SHA256 hash of \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. SHA256 hash of \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Unzipping one of these archives presents the file \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar\u201d. However, upon opening the file in Jar Explorer, a few things become immediately apparent.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_1908828357.img.png\/1642026583974\/img7.png\" alt=\"Figure 7. Initial view of \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar\u201d in Jar Explorer\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Initial view of \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar\u201d in Jar Explorer<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Firstly, a large number of Java class files are part of this package. Secondly, the class \u201cFirstRun\u201d strings appear to be scrambled or encoded. Lines that are appended with \u201cALLATORIxDEMO\u201d indicate the presence of the Allatori Java Obfuscator.<\/p>\n<p>This can be validated by attempting to execute the jar file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_722324993.img.png\/1642026668309\/img8.png\" alt=\"Figure 8. Splash screen shown when attempting to execute \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Splash screen shown when attempting to execute \u201cSHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"text-align: left;\">Confirming that this has been obfuscated using Allatori helps in the analysis process as open-source tools are available that can roll this back and reveal the actual content inside the jar file. Java Deobfuscator (<a href=\"https:\/\/github.com\/java-deobfuscator\/deobfuscator\" target=\"_blank\">https:\/\/github.com\/java-deobfuscator\/deobfuscator<\/a>) works particularly well against Allatori and successfully restores the original string content, as shown below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_846076453.img.png\/1642026744615\/img9.png\" alt=\"Figure 9. The same view of class \u201cFirstRun\u201d now deobfuscated\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. The same view of class \u201cFirstRun\u201d now deobfuscated<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Independently encoded from the class files in STRRAT is the configuration file (config.txt). On first view, it is base 64 encoded, as shown in Figure 10.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_1677959814.img.png\/1642095266317\/img10.png\" alt=\"Figure 10. Base 64 encoded \u201cconfig.txt\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Base 64 encoded \u201cconfig.txt\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When decoded, the file is unfortunately still scrambled.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_280194434.img.png\/1642095291373\/img11.png\" alt=\"Figure 11. \u201cDecoded\u201d configuration file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. \u201cDecoded\u201d configuration file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>By searching the code for \u201cconfig.txt,\u201d we can see that the configuration file was encrypted using AES and uses the passphrase of \u201cstrigoi.\u201d Decrypting the config file now becomes possible.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_235354795.img.png\/1642095314636\/img12.png\" alt=\"Figure 12. Decrypted configuration file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Decrypted configuration file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The final item in the line in Figure 12 was of particular interest, as this sample appeared during the height of the Log4Shell event. Khonsari was the name of a ransomware variant taking advantage of that particular vulnerability. Here, though, the word functions as a software key, and there is no evidence of any link between the two pieces of malware.<\/p>\n<p>Most malware strains have a requirement to maintain persistence across reboots and sessions so they can complete tasks they\u2019ve been set. STRRAT accomplishes this by copying itself into a new directory and then adding entries to the Windows registry to run at system startup.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_1505596550.img.png\/1642027024847\/img13.png\" alt=\"Figure 13. Code to modify the registry\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Code to modify the registry<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_488543393.img.png\/1642027050128\/img14.png\" alt=\"Figure 14. Modified registry\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. Modified registry<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>STRRAT queries the host to determine its architecture and anti-virus capability on startup. It also queries running processes, local storage, and network capability.<\/p>\n<p>In terms of capabilities, STRRAT can log keystrokes and maintain an HTML-based log to store items of interest.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_512091878.img.png\/1642027095411\/img15.png\" alt=\"Figure 15. Code to create the keyboard log file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Code to create the keyboard log file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_1305048648.img.png\/1642027128921\/img16.png\" alt=\"Figure 16. Keyboard log file ready to be populated\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Keyboard log file ready to be populated<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>STRRAT can also facilitate the remote control of an infected system by dropping HRDP \u2013 a remote access tool.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_773963544.img.png\/1642027188971\/img17.png\" alt=\"Figure 17. HRDP\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17. HRDP<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Additional capabilities include siphoning passwords from browsers, such as Chrome, Firefox, and Microsoft Edge, and email clients, like Outlook, Thunderbird, and Foxmail.<\/p>\n<p>One of the more curious modules present in STRRAT is its pseudo-ransomware ability.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_791392119.img.png\/1642027240651\/img18.png\" alt=\"Figure 18. Pseudo-ransomware module\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18. Pseudo-ransomware module<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The code cycles through files in the user\u2019s home directories and appends a file extension of \u201c.crimson\u201d to them. No encryption of the files is undertaken, making this only suitable as a decoy or perhaps as a scare tactic against less savvy users. A ransom note template was not found in the code.<\/p>\n<p>On the network side of things, we see STRRAT looking to reach out and pull down several Java dependencies upon startup.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_620405968.img.png\/1642027276753\/img20.png\" alt=\"Figure 19. Java dependencies\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19. Java dependencies<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in <i>Figure 12<\/i>, this sample is using IP address 198[.]27.77.242 for C2 (Command and Control). Examining that traffic in Wireshark shows STRRAT being exceptionally noisy. This is likely due to the C2 channel being offline at the time of the investigation. In its effort to obtain further instructions, the sample attempts to communicate over port 1780 and 1788 at one-second intervals, if not more in some instances.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image_1802553782.img.png\/1642027319898\/imgtwenty.png\" alt=\"Figure 20. Attempted C2 communication as shown in Wireshark\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 20. Attempted C2 communication as shown in Wireshark<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Figure 12 <\/i>also shows a URL containing the domain \u201cjbfrost[.]live\u201d. This appears to be part of the C2 infrastructure for the malware but does not appear to be used (at least not at this time). The domain does not resolve currently.\u00a0<\/p>\n<h3><b>Conclusion<\/b><\/h3>\n<p>Threat actors expend an enormous amount of effort to craft campaigns that take advantage of the basic day-to-day operations of companies. This includes the intake of raw materials and the output of finished goods via shipping and transportation networks. Threats of this nature are only set to increase in the coming months and years and organizations need to be on guard for attempts to subvert their operations in this manner. \u00a0<\/p>\n<p>This campaign is one such attempt. STRRAT doesn\u2019t garner as much attention as some of the more widely seen trojans in the malware ecosystem, but it is a capable and resilient threat where encountered.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Fortinet Protections and Mitigations<\/h3>\n<p>FortiGuard Labs provides the following AV coverage against the files used in this attack:<\/p>\n<p style=\"margin-left: 40.0px;\">Java\/Agent.X!tr<\/p>\n<p>FortiMail protects Fortinet customers by blocking phishing emails and applying FortiGuard\u2019s Web Filtering, AntiVirus, and CDR (content disarm and reconstruction) technologies.<\/p>\n<p>All network IOCs are blocked by the WebFiltering client.<\/p>\n<p>FortiEDR detects the malicious files based on reputation and behavior.<\/p>\n<p><b>IOCs<\/b><\/p>\n<p><b>E-mail\u00a0<\/b><\/p>\n<p><b><i>Addresses<\/i><\/b><\/p>\n<p>shipping@acalpulps.com<\/p>\n<p>exports@ftqplc.in<\/p>\n<p><b>Trojan<\/b><\/p>\n<p><b><i>SHA256 Hash<\/i><\/b><\/p>\n<p>409ad1b62b478477ce945791e15e06b508e5bb156c4981263946cc232df89996 (SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip)<\/p>\n<p>3380d42b418582b6f23cfd749f3f0851d9bffc66b51b338885f8aa7559479054 (SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar)<\/p>\n<p><i><b>URL<\/b><\/i><\/p>\n<p>hXXp:\/\/jbfrost[.]live\/strigoi\/server\/?hwid=1&amp;lid=m&amp;ht=5<\/p>\n<p><i><b>IP Address<\/b><\/i><\/p>\n<p>198[.]27.77.242 (C2)<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\"><i>portfolio<\/i><\/a><i>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-strrat-rat-phishing-campaign\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/new-strrat-rat-phishing-campaign\/_jcr_content\/root\/responsivegrid\/image.img.png\/1642636926977\/img1.png\"\/><br \/>FortiGuard Labs discovered a phishing email used to deliver a variant of the STRRAT malware as an attachment. This blog deconstructs the phishing email and its malicious payload.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17996","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17996"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17996\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}