Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Microsoft Warns of Malware Campaign Spreading a RAT Masquerading as Ransomware (therecord.media) 33

The Microsoft security team has published details about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. From a report: According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments. "Attackers used compromised email accounts to launch the email campaign," Microsoft said in a series of tweets last night. "The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware." First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts. According to a technical analysis by German security firm G DATA, the RAT has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.
This discussion has been archived. No new comments can be posted.

Microsoft Warns of Malware Campaign Spreading a RAT Masquerading as Ransomware

Comments Filter:
  • I smell a RAT
  • According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments.

    Text only, no-attachments, evil thwarted.

    • In other news: It's 2021 and we're still receiving emails that can take over an entire system with a single mouse click.

      • And a late bulletin: It's 2021 and mass-spammed emails are still arriving in our inboxes.

        • In more depressing news, its 2021 and we still haven't got a standardized universal messaging standard to merge 100 different walled garden apps with different features

          (Like email, whatsapp , text, telegram, video/audio/group calls, FB/IG /Linkedin / twitter messengers... )

          that everyone can connect to using any compliant app(s) of their choice.

      • by gweihir ( 88907 )

        In other news: It's 2021 and we're still receiving emails that can take over an entire system with a single mouse click.

        Indeed. Because MS does not care on bit about its users.

  • But how does it run the malware? Just downloading won't do it any good.

    Or are they counting on clueless individuals clicking on the .exe they just downloaded from the internet?
    • Re:Running... (Score:4, Informative)

      by Joce640k ( 829181 ) on Thursday May 20, 2021 @11:26AM (#61404116) Homepage

      Summary says: "The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware."

      The real WTF is allowing everything to run "scripts".

      • But PDF Javascripts aren't able to start executables, are they?

        BTW Javascript is the first thing I turn off when I install Acrobat Reader.
        • by kmoser ( 1469707 )
          Sounds like the problem isn't "executable PDFs" but rather "insecure Acrobat Reader". Is this still a problem when using, say, Foxit Reader?
      • by gweihir ( 88907 )

        The real WTF is allowing everything to run "scripts".

        Indeed. That requires extreme stupidity, extreme ignorance and negligence that cannot get more gross.

  • I wonder how long until someone throws out some ransomware that does some really lame encryption like ROT13 text files? Just for the lolz, of course.
    • I wonder how long until someone throws out some ransomware that does some really lame encryption like ROT13 text files? Just for the lolz, of course.

      Uh, if you're still wondering what the rate of devolution is these days, this is sadly, even lamer than that.

      "...the so called ‘encryption’ only renames files by appending the .crimson extension...This might still work for extortion because such files cannot be opened anymore by double-clicking...If the extension is removed, the files can be opened as usual.”

      Drats! Hacked again by the Evil Dr. Rename. Oh, when will the suffering stop?

      • That's actually what I was referring to. A lot of users might figure that one out. Do a trivial transform on the file and how many users are going to figure out that they can recover their files with a simple shell command? But yeah, come to think of it, TFA reference is really even lamer. Just depends on how you look at it.
      • A lot of ransomware groups are basing their ransom on data exfiltration, with blackmail/extortion being their mainstay, as opposed to denying access to data.

        I wouldn't be surprised to see a malware group create ransomware that if disturbed, sends a note to the group, which then they will past all confidential company stuff on pastebin or just sell it, so restoring a backup, or decrypting a file would be out of the question for an average company. If a game company can make tamper detection software, then a

  • by geekmux ( 1040042 ) on Thursday May 20, 2021 @10:25AM (#61403910)

    An interesting analysis from TFA:

    "...the so called ‘encryption’ only renames files by appending the .crimson extension...This might still work for extortion because such files cannot be opened anymore by double-clicking...If the extension is removed, the files can be opened as usual.”

    And now we know why ransomware works so well. This is like selling Jack the magic beans, only they're invisible.

    Hey! Slow down, stupid. You spill those, and you'll never find them...

  • That was White Snake!
    We're not White Snake, dude. We're Poison!
    I thought we was Quiet Riot...
    ...says here, [therecord.media] we're Ratt...
  • According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments.

    The Microsoft Security Intelligence, surely an oxymoron if there ever was one. The PDF files aren't malicious. The problem lays totally with an Operating System that can't tell the difference between DATA and CODE.
  • Funny headline. I'm imagining a user sitting there "I don't want any Trojans, but downloading Ransomware is just fine!"
  • Can we just call it a Trojan, the way we did for the last 30 years?

  • The emails contained an image that posed as a PDF attachment ...

    How about a warning when something (file/attachment) says it's one thing (extension) but is actually another (contents/magic)?

  • Malware disguised as malware. Is Mars ready to colonize yet? I want to go away.

  • When it comes to RATs, MS knows everything there is to know.
  • The mugger just wants to copy my drivers license, not take my cash."

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...