A new report released today by phishing detection and response solutions company Cofense Inc. is warning that a remote access trojan first detected in 2020 is currently running wild and being increasingly used in phishing malware campaigns.

The RAT in question is called STR RAT and is mostly delivered directly via email as opposed to an embedded link. STR RAT is described by Cofense as being “like a seasonal flu” in that every year, some part of the infection chain receives an update and SRT RAT has not only evolved but become more prominent in a short period of time.

Features of SRT RAT include the ability to steal passwords, log keystrokes and provide backdoor access to the malicious actors using it. The RAT can steal passwords saved in Chrome, Firefox and, strangely given it’s 2024, Internet Explorer. For email clients, the RAT targets Outlook, Thunderbird and China’s Foxmail.

Key commands include o-keylogger, which is said to create a text file containing all subsequent text typed out. The RAT also uses a command called “down-n-exec” to download and execute a file, remote-screen for the attacker to commandeer the computer and power-shell for a PowerShell terminal.

Though first seen in 2020, STR RAT came into prominence through 2023 and more recently through March this year following the launch of STR RAT 1.6. Attackers using STR RAT tend to use legitimate services such as GitHub Inc. and Amazon Web Services Inc. to host and deliver the RAT so as to appear to be from a legitimate source.

Under the hood, STR RAT is executed by a Java Runtime Environment and installs dependencies, creates persistence through various system locations and utilizes Java Archive files for configuration and encryption. The persistence mechanism ensures that the malware remains active and difficult to remove from infected systems.

STR RAT further uses geolocation services to fingerprint infected computers and sends this data, along with other system information, to command and control servers. The information is then used by attackers to tailor their malicious activities based on the location and system specifics of the infected device.

While the report does not give a list of recommendations on how to avoid SRT RAT, it does point to the need for robust email security, given that the RAT is typically delivered directly via email attachments. Enhancing email security to detect and block suspicious attachments and URLs is the main way to block STR RAT attacks.

In addition, the need to be vigilant and monitor network traffic for unusual patterns is another way to prevent malicious attacks. The use of endpoint detection response tools to monitor and analyze potential indicators of compromise can also help.

Photo: Tambako The Jaguar/Flickr