Tech News

Microsoft warns of an “email campaign” that is trying to steal sensitive data

Pinterest LinkedIn Tumblr

Microsoft has warned its users of a “massive email campaign” that is pushing Java-based STRRAT malware to steal sensitive data from infected systems while disguising itself as a ransomware infection.

“This RAT is famous for its ransomware-like behavior by appending the .crimson file name to files without actually encrypting them,” the Microsoft Security Intelligence team said in a series of tweets.

The new wave of attacks, which the company detected last week, begins with spam emails sent from email accounts committed to “Outbound payments” in the subject line, prompting recipients to open malicious PDF documents that they claim be shipments, but in reality, connect to an unauthorized domain to download STRRAT malware.


In addition to establishing connections to a command and control server during execution, the malware comes with a variety of features that allow you to collect browser passwords, record keystrokes, and execute remote commands and PowerShell scripts.

Microsoft warns of an email campaign that is trying to

STRRAT first appeared on the threat landscape in June 2020, with German cybersecurity company G Data watching Windows malware (version 1.2) in phishing emails containing malicious Jar (or Java Archive) attachments.

“RAT focuses on stealing credentials from browsers and email clients and passwords through keylogging”, detailed Karsten Hahn, malware analyst at G Data. “Supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.”

Its ransomware resources are, at best, rudimentary, as the “encryption” stage only renames files with the suffix of the extension “.crimson”. “If the extension is removed, the files can be opened normally,” added Kahn.

Microsoft also notes that version 1.5 is more obfuscated and modular than previous versions, suggesting that the attackers behind the operation are actively working to improvise its toolkit. But the fact that the false encryption behavior remains unchanged indicates that the group may aim to earn quick money from unsuspecting users through extortion.


Want to read GSMNigeria more news? See Related Posts below

Want to read GSMNigeria more news? See Related Posts below

Have an article/sponsored post to share? Whatsapp: +2348129656985.

Notify of
Inline Feedbacks
View all comments
Pin It