Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar.
“Attackers now use the polyglot technique to confuse security solutions that don’t properly validate the JAR file format,” Deep Instinct security researcher Simon Kenin said in a report.
Polyglot files are files that combine syntax from two or more different formats in a manner such that each format can be parsed without raising any error.
One such 2022 campaign spotted by the cybersecurity firm involves the use of JAR and MSI formats – i.e., a file that’s valid both as a JAR and an MSI installer – to deploy the StrRAT payload. This also means that the file can be executed by both Windows and Java Runtime Environment (JRE) based on how it’s interpreted.
Another instance involves the use of CAB and JAR polyglots to deliver both Ratty and StrRAT. The artefacts are propagated using URL shortening services such as cutt.ly and rebrand.ly, with some of them hosted on Discord.
images from Hacker News