From any.run
There’s a new phishing campaign delivering STRRAT and VCURMS Remote Access Trojans through a malicious Java-based downloader, which we can observe on ANY.RUN.
STRRAT is a Java-based Remote Access Trojan (RAT) that primarily functions as a keylogger, extracting credentials from browsers and applications.
VCURMS is another RAT, possibly connected to the Rude Stealer malware. It runs cmd.exe commands, collects system data and credentials from browsers, Discord, Steam, and other programs. It can also upload additional modules to expand its information-stealing functionality as needed.
The attack chain begins with a phishing email urging recipients to click a button to verify payment information. Clicking this button downloads a malicious JAR file disguised as a payment invoice. This file then downloads and runs two more JAR files to launch the VCURMS and STRRAT trojans.