
A new phishing campaign using fake shipping delivery impersonating Maersk shipping lures installs the STRRAT remote access trojan on unsuspecting victim’s devices.
The macro code that runs fetches the STRRAT malware onto their machine, a powerful remote access trojan that can steal information and even fake ransomware attacks once the recipient opens it.
The header of the phishing emails has the information that messages are routed through recently registered domains that increase the risk of being flagged by email security solutions. To evade detection Allatori tool use to obfuscate
The email claims to be information about a shipment, changes in delivery dates, or notices regarding a fictitious purchase and includes an Excel attachment or links to one that pretends to be the related invoice.
The STRRAT infection begins by decrypting the configuration file, copying the malware into a new directory, and adding new Windows registry entries for persistence. It gathers host information and security tools details
STRRAT can perform the following:
- Log user keystrokes
- Facilitate remote control operation
- Grab passwords from web browsers like Chrome, Firefox, and Microsoft EdgeSteal passwords from email clients like Outlook, Thunderbird, and Foxmail
- Run a pseudo-ransomware module to simulate an infection
Examining the traffic in Wireshark shows STRRAT being exceptionally noisy. This is likely due to the C2 channel being offline at the time of the investigation. The communication is taken over port 1780 and 1788 at one-second intervals with C&C
Trojans like STRRAT often go ignored for being less sophisticated and more randomly deployed. The phishing emails used in this campaign blend very homogeneously with day-to-day corporate communications in companies that deal with shipments and transportation, so it only takes a tired or careless employee for the damage to be done.
Indicators of Compromise
E-mail Addresses
- shipping@acalpulps.com
- Exports@ftqplc.in
SHA256 Hash
- 409ad1b62b478477ce945791e15e06b508e5bb156c4981263946cc232df89996
- 3380d42b418582b6f23cfd749f3f0851d9bffc66b51b338885f8aa7559479054
URL
hXXp://jbfrost[.]live/strigoi/server/?hwid=1&lid=m&ht=5
IP Address
198[.]27.77.242 (C2)