new phishing campaign<\/a> delivering STRRAT and VCURMS Remote Access Trojans through a malicious Java-based downloader, which we can observe on ANY.RUN. <\/p>\n\n\n\nSTRRAT<\/strong> is a Java-based Remote Access Trojan (RAT) that primarily functions as a keylogger, extracting credentials from browsers and applications. <\/p>\n\n\n\nVCURMS<\/strong> is another RAT, possibly connected to the Rude Stealer <\/strong>malware. It runs cmd.exe commands, collects system data and credentials from browsers, Discord, Steam, and other programs. It can also upload additional modules to expand its information-stealing functionality as needed. <\/p>\n\n\n\nThe attack chain begins with a phishing email urging recipients to click a button to verify payment information. Clicking this button downloads a malicious JAR file disguised as a payment invoice. This file then downloads and runs two more JAR files to launch the VCURMS and STRRAT trojans. <\/p>\n\n\n\n
Uniquely, the attackers store the malware files on AWS or Github and use commercial protection to hide their malicious nature. The initial JAR file delivered via email is obfuscated and downloads the malware using a PowerShell command. <\/p>\n\n\n\n
Finding the attack in ANY.RUN’s Threat Intelligence Lookup <\/h2>\n\n\n\n We can use ANY.RUN’s Threat Intelligence Lookup<\/a> to first find samples of this campaign, confirm the reported behavior, and collect IOCs and malware configuration extracted from memory. <\/p>\n\n\n\n
ANY.RUN Threat Intelligence Lookup portal <\/figcaption><\/figure><\/div>\n\n\nIn the ANY.RUN TI Lookup, we can use the query constructor to build our query: ‘RuleName:”strrat” AND DomainName:”github.com”\u2019. <\/p>\n\n\n
\n
A query to find IOCs and events connected to STRRAT malware <\/figcaption><\/figure><\/div>\n\n\nLet’s execute the query and see what we can find. The lookup provides several interesting results: <\/p>\n\n\n
\n
\nIn the left table (marked with a red border), we can see related events. These are interactive sandbox research sessions where the ANY.RUN sandbox detected STRRAT. We can use them to analyze a malware sample in a realistic environment. <\/li>\n\n\n\n On the right is a list of malicious executable files, which you can download for reverse engineering or take their hashes directly to investigate your logs or enrich related objects in your security systems. <\/li>\n<\/ul>\n\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-5-1024x585.png\")
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-5-1024x31.png\")
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-3-1024x587.png\")
<\/figure><\/div>\n\n\n