STRRAT Malware Impersonates Shipping Giant Maersk To Infect Victim’s Devices

Maersk, one of the largest shipping companies in the world was recently attacked with STRRAT malware. STRRAT is a remote access trojan that runs on Java-capable of doing multiple things which were discovered in the mid of 2020. These types of trojans are delivered to the victims via phishing campaigns.

The attachment will contain a dropper, say Microsoft excel macros which downloads the final payload when opened. Unlike the usual trojans, the final payload is directly attached to phishing emails.

  1. Mail Spoofing
Sample of the spoofed mail

The above clearly shows that the email has been spoofed. Further examination of the email headers reveals additional details.

  1. Email Headers
Email Header details

Before reaching the victim, the emails are sent through “acalpupls[.]com” and also the reply to mail is given as “ftqplc[.]in”. Both of these domains are registered in August 2021 and October 2021 respectively, making them highly suspicious.

  1. Impersonation
Sample of the phishing email

Just like any other phishing email, this email also consists of the context of a Scheduled shipment that looks legitimate.

  1. Trojan attachment

The attachment contains 3 files. Two of which are zip files and a png image of Maersk. The zip files hold the code for STRRAT.

Investigation of The Attachment

On digging up on the zip attachments, the following were found.

  1. The jar files inside the attachments showed the codes of “ALLATORIxDEMO” which is a Java Obfuscator. Java Deobfuscator was used to analyse the embedded code.
  2. Config.txt file was found with base64 encoding. AES encryption was used to encrypt the file. On decrypting the file, the samples showed the code for Log4Shell event.
  3. STRRAT copies itself to a new directory and creates a registry for Windows Startup event, in order to maintain persistence.
  4. HRDP – remote access tool was used to control the remote system.

Threat actors are creating more and more complicated variants of malware every day and affect every sector whether it be shipping transportation or any other. Threats are predicted to become higher in the upcoming years. Though STRRAT is not famous, it has the ability to perform highly critical malicious functions.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago