VCURMS and STRRAT Trojans

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.

“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.

An unusual aspect of the campaign is VCURMS’ use of a Proton Mail email address (“sacriliage@proton[.]me”) for communicating with a command-and-control (C2) server.

The attack chain commences with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.

Executing the JAR file leads to the retrieval of two more JAR files, which are then run separately to launch the twin trojans.

Besides sending an email with the message “Hey master, I am online” to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract the command to be executed from the body of the missive.

This includes running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint.

The information stealer comes fitted with capabilities to siphon sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from various web browsers, screenshots, and extensive hardware and network information about the compromised hosts.

VCURMS is said to share similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.

“STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications,” Wan noted.

The disclosure comes as Darktrace revealed a novel phishing campaign that’s taking advantage of automated emails sent from the Dropbox cloud storage service via “no-reply@dropbox[.]com” to propagate a bogus link mimicking the Microsoft 365 login page.

“The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization,” the company said. “the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top.'”