Distant entry trojans akin to StrRAT and Ratty are being distributed as a mix of polyglot and malicious Java archive (JAR) recordsdata, as soon as once more highlighting how risk actors are repeatedly discovering new methods to fly beneath the radar.
“Attackers now use the polyglot method to confuse safety options that do not correctly validate the JAR file format,” Deep Intuition safety researcher Simon Kenin said in a report.
Polyglot files are recordsdata that mix syntax from two or extra totally different codecs in a fashion such that every format may be parsed with out elevating any error.
One such 2022 marketing campaign noticed by the cybersecurity agency is using JAR and MSI codecs – i.e., a file that is legitimate each as a JAR and an MSI installer – to deploy the StrRAT payload. This additionally implies that the file may be executed by each Home windows and Java Runtime Setting (JRE) primarily based on the way it’s interpreted.
One other occasion entails using CAB and JAR polyglots to ship each Ratty and StrRAT. The artifacts are propagated utilizing URL shortening companies akin to cutt.ly and rebrand.ly, with a few of them hosted on Discord.
“What’s particular about ZIP recordsdata is that they are recognized by the presence of an end of central directory record which is positioned on the finish of the archive,” Kenin defined. “Which means any ‘junk’ we append at first of the file shall be ignored and the archive remains to be legitimate.”
The shortage of enough validation of the JAR recordsdata ends in a state of affairs the place malicious appended content material can bypass safety software program and keep undetected till they’re executed on the compromised hosts.
This isn’t the primary time such malware-laced polyglots have been detected within the wild. In November 2022, Berlin-based DCSO CyTec unearthed an info stealer dubbed StrelaStealer that is unfold as a DLL/HTML polyglot.
“The correct detection for JAR recordsdata must be each static and dynamic,” Kenin mentioned. “It is inefficient to scan each file for the presence of an finish of central listing file on the finish of the file.”
“Defenders ought to monitor each ‘java’ and ‘javaw’ processes. If such a course of has ‘-jar’ as an argument the filename handed as an argument must be handled as a JAR file whatever the file extension or the output of the Linux ‘file’ command.”