January 13, 2023Rabbi LakshmananCyber ​​Threat/Malware Detection

Remote access Trojans such as StrRAT and Ratty are distributed as a combination of polyglots and malicious Java archives (jar.

“Attackers are currently using polyglot techniques to confuse security solutions that do not properly validate the JAR file format,” said Simon Kenin, security researcher at Deep Instinct. Said in the report.

Multilingual file A file that combines the syntax of two or more different formats so that each format can be parsed without error.

One such 2022 campaign spotted by a cybersecurity firm is deploying StrRAT payloads using JAR and MSI formats (i.e. files that are valid as both JAR and MSI installers). This also means that the file can be run by both Windows and the Java Runtime Environment (JRE), depending on how the file is interpreted.

Another example uses CAB and JAR polyglots to deliver both Ratty and StrRAT. Artifacts are propagated using URL shortening services such as cutt.ly and rebrand.ly, some of which are hosted on Discord.

“What’s special about ZIP files is that they are identified by the presence of a .zip file. end of central directory record It’s at the end of the archive,” Kenin explained.

Multilingual file

JAR files are not properly validated, creating a scenario where additional malicious content bypasses security software and remains undetected until executed on a compromised host.

This is not the first time such malware-laden polyglots have been detected in the wild. In November 2022, his Berlin-based DCSO CyTec will Strela stealer It’s spread as a DLL/HTML polyglot.

“Proper detection of JAR files should be both static and dynamic,” Kenin said. “It is not efficient to scan all files for the existence of the tail of the central directory record at the end of the file.”

“A defender should monitor both the ‘java’ and ‘javaw’ processes. If such a process has “-jar” as an argument, the filename passed as an argument should be treated as a JAR file, regardless of file extension or Linux output. “File” command. “

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog