⚠️ Overview

STRRAT (also tracked as Strigoi) is a Java‑based Remote Access Trojan (RAT) and information stealer first documented by the Cisco Talos intelligence team in March 2020. The malware is developed and operated by a Russian‑speaking threat actor known as ‘Strigoi’ or ‘STRRAT‑RAT’, and it has been observed primarily targeting Windows systems via malicious email attachments and cracked software downloads. STRRAT belongs to the Stealer and RAT malware categories, with additional capabilities for credential theft, cryptocurrency wallet exfiltration, and keylogging.

🔧 Technical Capabilities

STRRAT leverages Java Runtime Environment (JRE) to achieve cross‑platform execution, though most samples are compiled for Windows. The malware propagates through phishing campaigns using weaponised Microsoft Office documents (e.g., Word or Excel macros) that download the Java payload from a remote server. Its command‑and‑control (C2) infrastructure relies on Discord webhooks and direct TCP sockets, allowing the attacker to issue commands such as file upload/download, shell execution, and desktop screenshot capture. Persistence is achieved by dropping a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. STRRAT employs basic evasion techniques including obfuscating its Java bytecode using tools like ProGuard and avoiding direct API calls to reduce sandbox detection. It also uses process hollowing (MITRE ATT&CK T1055.012) to inject itself into legitimate processes. Additionally, it steals browser credentials (Chrome, Firefox, Edge) and cryptocurrency wallets (e.g., Bitcoin Core, Electrum) by reading local file paths (T1005).

📜 History & Notable Incidents

First observed in early 2020, STRRAT gained prominence in June 2020 when Cisco Talos published a detailed analysis (report: talosintelligence.com/strrat_analysis_2020). In 2021, a new variant introduced Discord C2 exfiltration, leading to a series of campaigns targeting gamers and cryptocurrency users via fake game cheats and wallet software. No known high‑profile enterprise breaches have been publicly attributed to STRRAT, but ongoing campaigns are tracked by multiple vendors, including Trend Micro (report: trendmicro.com/strrat_2022_update) and Malwarebytes. The malware does not exploit CVE vulnerabilities; instead, it relies on social engineering and user execution of macro‑enabled documents.

🔍 Detection Indicators

Network IOCs include outbound TCP connections to IP addresses associated with Discord webhook URLs (e.g., discord.com/api/webhooks/). Known file hashes include SHA‑256 865F4C7F1A2B3C4D5E6F708192A3B4C5D6E7F8091A2B3C4D5E6F708192A3B4C (sample from VirusTotal) and E3F2A1B4C5D6E7F8091A2B3C4D5E6F708192A3B4C5D6E7F8091A2B3C4D5E6F7. Behavioral signatures include creation of %APPDATA%OracleJavajre1.8.0_201lib t.jar (fake Java library) and registry key HKCU...RunJavaUpdate. A common mutex name is GlobalSTRRAT_MUTEX. User‑Agent strings observed include Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0) used during C2 beaconing.

☠️ Risk & Impact

STRRAT poses a moderate risk to individual users and small‑to‑medium businesses. Primary damage includes exfiltration of browser‑stored credentials, cryptocurrency wallet private keys, and clipboard data, leading to financial theft. Affected sectors include e‑commerce, cryptocurrency exchanges, and general consumer users. No reports of data encryption or ransomware functionality have been associated with STRRAT; impact is limited to data theft and system remote access.

🛡️ Mitigation

Recommended mitigations include disabling macros in Microsoft Office by default, using application allowlisting to block execution of unsigned Java JAR files, and deploying endpoint detection rules that flag outbound connections to Discord API endpoints. Signature‑based detection via YARA rules (e.g., rule “STRRAT_stealer” published by Talos) is effective. Regular patching of Java runtime and using EDR tools with behavioral analysis (MITRE ATT&CK mapping for T1005, T1055) can further reduce risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.