The malware tries to lure recipients into opening what appear to be PDF attachments in email blasts. But when victims click on those attachments, they wind up downloading a malware variant called StrRAT.
Microsoft’s Security Intelligence Team tweeted that StrRAT’s job is to confuse a computer’s operating system and gain access to browser passwords, log keystrokes, and run remote commands.
Running remote commands can be quite the plaything for a hacker. It allows them to run willy-nilly through a user’s computer, harvesting sensitive information that can range from email credentials to data stored in internet browsers.
The attack sequence to watch out for
In following the malware’s trails, Threatpost was able to determine what the malware’s attack sequence is. It plays out like this:
To start, attackers have been known to use compromised email accounts to send several different emails. To date, the messages disguise the sender as someone who is a supplier or has something to do with the payment of goods or services. Some of the messages use the subject line “Outgoing Payments.” Others refer to specific payments supposedly made by the “Accounts Payable Department.” Still others say “your payment has been released as per attached payment advice” and asks the recipient to verify adjustments made in the attached PDF.
That PDF -- if clicked -- is where the trouble starts. The malware is downloaded to the user’s computer and the hackers are off to the races gathering all the data they can mine. While extortion is not the primary idea behind the attack, reports are circulating that the hackers may also try to make a quick buck off users by disguising their attack as a form of ransomware.
Guarding against the attack
Microsoft says its Microsoft 365 Defender delivers “coordinated defense against this threat” and can protect users against malicious emails after they’re detected.
The company’s Security Intelligence Team has also published what it knows on GitHub so others who deal with computer security can identify indicators of malicious behaviors related to StrRAT before they do any damage.