STRRAT

STRRAT is a Java-based remote access trojan (RAT), also known as Strigoi Master, with observed versioning including "STRRAT 1.2." It is primarily Windows-focused despite being implemented in Java. Reported delivery includes spam and phishing campaigns using malicious JAR attachments, as well as malicious Java-based downloaders. One described chain starts from a spam email carrying a JAR attachment (for example, "NEW ORDER.jar"), which drops and executes VBScript via wscript.exe. The VBScript can use PowerShell to decode and run additional content, write the final payload as %APPDATA%\ntfsmgr.jar, establish persistence through a Windows Run key named "ntfsmgr," and download/install a Java Runtime Environment if needed. Other reporting notes phishing campaigns hosting malware on public services such as AWS and GitHub, and repeated malspam activity themed around business subjects such as Offers and Requests, including campaigns targeting Italy. Telemetry in one analysis referenced infection attempts against German customers.

Capabilities directly described for STRRAT include credential theft from Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird; keylogging with both immediate exfiltration and offline modes; remote command execution; PowerShell execution; file management; process listing; remote screen control; and reverse proxying. The payload uses the package name strpayload, is obfuscated with Allatori, and stores strings/configuration in AES-encrypted form; one analysis states the configuration is AES-encrypted with the password "strgoi." The malware also downloads dependencies from a hardcoded URL, including a referenced dependency bundle at hxxp://jbfrost.live/strigoi/lib.zip, and references a system-hook library consistent with global keyboard and mouse monitoring.

STRRAT also includes functionality to download and install RDPWrap / Hidden RDP components to enable or abuse Remote Desktop on infected Windows hosts. Reported related artifacts include a download URL hxxp://wshsoft.company/multrdp(.)jpg and a command "hrdp-new" that installs HRDPInst.exe. A ransomware-like module is present with commands such as rw-encrypt, rw-decrypt, and show-msg, but the described behavior does not perform real cryptographic encryption; instead, it renames files by appending the .crimson extension and can later remove that extension. The malware can also display an arbitrary ransom note via notepad.exe.

STRRAT has been associated with the threat actor Bloody Wolf, also tracked as Stan Ghouls, whose historical toolset included STRRAT before later campaigns shifted toward abuse of the legitimate NetSupport remote administration tool. Bloody Wolf has used spear-phishing against organizations in Kazakhstan, Russia, Kyrgyzstan, and Uzbekistan, including government, finance, manufacturing, and IT-related targets, and reporting explicitly notes prior use of STRRAT in those operations. Known indicators and artifacts directly mentioned in the content include the dropped files bqhoonmpho.vbs, %APPDATA%\edeKbMYRtr.vbs, and %APPDATA%\ntfsmgr.jar; the Run key name "ntfsmgr"; the package name strpayload; the dependency name system-hook-3.5.jar; the .crimson file extension; and infrastructure URLs hxxp://jbfrost.live/strigoi/lib.zip and hxxp://wshsoft.company/multrdp(.)jpg.