We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Java/StrRat.A!MTB
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
StrRAT is a multi-functional Java-based remote access tool (RAT) that is known for its data stealing capabilities and fake ransomware-like behavior.
Attackers distribute StrRAT malware through malicious email campaigns. This RAT can steal browser credentials, log keystrokes and take remote control of infected systems. It also has a module that can download additional payloads onto the infected device, after receiving specific instructions from the attackers’ command-and-control (C2) server. This RAT poses itself as a ransomware, and it has an encryption/decryption module that appends a .crimson extension to the files without actually encrypting them.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Assume that this device is compromised. Inspect the device thoroughly, check for malicious activities in its timeline and isolate it from the network if possible.
- Investigate how the affected endpoint might have been compromised. Check web and email traffic to determine how the payload arrived.
- Check for credential theft attempts. Even without clear indicators, consider decommissioning or resetting all accounts used on this device.
- Determine how this device was compromised by checking the mailbox for unsolicited emails that contained suspicious attachments or links, or by scanning the device for the presence of StrRAT malware.
- Ensure server systems are restricted from accessing the internet for arbitrary browsing, downloads, or malware command-and-control traffic by using network firewall rules at the perimeter as well as proxy settings.
- Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
