Attackers distribute malware via malicious JARs and Polyglot Files

January 26, 2023 - TuxCare PR Team

Deep Instinct researchers reported that RATs like StrRAT and Ratty were used in a 2022 campaign via polyglot and JAR files. Both threats appear to report back to the same C2 server, implying that this is one group focusing exploitation on a vulnerability they’ve discovered.

This new RAT distribution campaign combines the JAR and MSI file formats into a single file. The MSI+JAR polyglot technique, on the other hand, was discovered in 2019, was assigned a CVE number – CVE-2020-1464, and was even patched. It is worth noting that the fix appears to have been insufficient.

According to reports, the threat actors had moderate success evading detection by anti-virus engines. This is significant given how old and well-documented the two RATs are. The StrRAT payload was used in a campaign that used both JAR and MSI file formats, indicating that it could be executed using both Windows and Java Runtime Environments.

According to the report, another campaign involved the deployment of StrRAT and Ratty using CAB and JAR polyglots, with URL shortening services rebrand.ly and cutt.ly used to spread the artifacts.

Sendgrid and URL shortening services such as Cutt.ly and Rebrand.ly are used to distribute the polyglots in this campaign, while the retrieved StrRAT and Ratty payloads are stored in Discord.

In terms of detection, the CAB/JAR polyglots yield six positives out of 59 AV engines on Virus Total, whereas the MSI/JAR polyglots are identified by 30 security vendors. As a result, the detection rate varies between 10% and 50%.

It gains initial access through phishing; cybersecurity experts have discovered this dangerous link in various malicious environments by using URL shorteners to trick unwitting victims: Rebrand[.]ly/afjlfvp. To avoid detection, a signed MSI file is used, which is observed as: 85d8949119dad6215ae0a21261b037af.

“The proper detection for JAR files should be both static and dynamic. It’s inefficient to scan every file for the presence of an end of central directory record at the end of the file. Defenders should monitor both “java” and “javaw” processes. If such a process has “-jar” as an argument the filename passed as an argument should be treated as a JAR file regardless of the file extension or the output of the Linux “file” command”, the report said.

The sources for this piece include an article in BleepingComputer.

Summary