Category: Malware
Type: Remote access trojan (RAT)
Platforms affected: Windows
Variants: STRRAT 1.2, 1.5, 1.6
Damage potential: Stolen credentials, keylogging, data exfiltration, backdoor capabilities
Overview
STRRAT is a Java-based remote access trojan. It collects login credentials from browsers and email services, steals passwords by recording keystrokes or extracting saved passwords from browsers, and sends all this data to its command and control servers.
STRAAT also mimics a ransomware attack by adding the “.crimson” extension to file names and dropping a fake ransom note — but this is just to deceive victims. STRAAT doesn’t encrypt files.
Possible symptoms
If you notice the “.crimson” extension on your files or find a note titled “crimson_info.txt”, you might suspect a STRAAT infection. Here are other possible symptoms:
- Slower computer performance.
- Unexpected restarts.
- Unauthorized changes in system settings.
Sources of infection
STRAAT typically infects devices through phishing emails that trick recipients into opening malicious attachments, such as Excel files.
Protection
Staying vigilant online is crucial to protecting your devices from STRAAT and similar threats.
- Always be cautious about email attachments, especially from unknown senders.
- Avoid downloading files or software from unofficial sources.
- Scan downloads for malware with NordVPN’s Threat Protection Pro.
- Use a password manager instead of saving passwords in your browser.
- Make sure your operating systems and software are updated.
- Install a reputable antivirus solution.
- Regularly back up important data.
Removal
Follow these steps to remove STRRAT from an infected device with antivirus software:
- Disconnect from the internet to stop STRRAT from communicating with its command and control servers.
- Run a full system scan and follow the software instructions to remove the malware.
- Restart your device.
- Change passwords for your online account.
- If you’re unsure about the complete removal, consider getting professional help.
