Maersk, one of the largest shipping companies in the world was recently attacked with STRRAT malware. STRRAT is a remote access trojan that runs on Java-capable of doing multiple things which were discovered in the mid of 2020. These types of trojans are delivered to the victims via phishing campaigns.
- Mail Spoofing
The above clearly shows that the email has been spoofed. Further examination of the email headers reveals additional details.
- Email Headers
Before reaching the victim, the emails are sent through “acalpupls[.]com” and also the reply to mail is given as “ftqplc[.]in”. Both of these domains are registered in August 2021 and October 2021 respectively, making them highly suspicious.
Just like any other phishing email, this email also consists of the context of a Scheduled shipment that looks legitimate.
- Trojan attachment
The attachment contains 3 files. Two of which are zip files and a png image of Maersk. The zip files hold the code for STRRAT.
Investigation of The Attachment
On digging up on the zip attachments, the following were found.
- The jar files inside the attachments showed the codes of “ALLATORIxDEMO” which is a Java Obfuscator. Java Deobfuscator was used to analyse the embedded code.
- Config.txt file was found with base64 encoding. AES encryption was used to encrypt the file. On decrypting the file, the samples showed the code for Log4Shell event.
- STRRAT copies itself to a new directory and creates a registry for Windows Startup event, in order to maintain persistence.
- HRDP – remote access tool was used to control the remote system.
Threat actors are creating more and more complicated variants of malware every day and affect every sector whether it be shipping transportation or any other. Threats are predicted to become higher in the upcoming years. Though STRRAT is not famous, it has the ability to perform highly critical malicious functions.