Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar.
“Attackers now use the polyglot technique to confuse security solutions that don’t properly validate the JAR file format,” Deep Instinct security researcher Simon Kenin said in a report.
Polyglot files are files that combine syntax from two or more different formats in a manner such that each format can be parsed without raising any error.
One such 2022 campaign spotted by the cybersecurity firm is the use of JAR and MSI formats – i.e., a file that’s valid both as a JAR and an MSI installer – to deploy the StrRAT payload. This also means that the file can be executed by both Windows and Java Runtime Environment (JRE) based on how it’s interpreted.
Another instance involves the use of CAB and JAR polyglots to deliver both Ratty and StrRAT. The artifacts are propagated using URL shortening services such as cutt.ly and rebrand.ly, with some of them hosted on Discord.
“What’s special about ZIP files is that they’re identified by the presence of an end of central directory record which is located at the end of the archive,” Kenin explained. “This means that any ‘junk’ we append in the beginning of the file will be ignored and the archive is still valid.”
The lack of adequate validation of the JAR files results in a scenario where malicious appended content can bypass security software and stay undetected until they are executed on the compromised hosts.
This is not the first time such malware-laced polyglots have been detected in the wild. In November 2022, Berlin-based DCSO CyTec unearthed an information stealer dubbed StrelaStealer that’s spread as a DLL/HTML polyglot.
“The proper detection for JAR files should be both static and dynamic,” Kenin said. “It’s inefficient to scan every file for the presence of an end of central directory record at the end of the file.”
“Defenders should monitor both ‘java’ and ‘javaw’ processes. If such a process has ‘-jar’ as an argument the filename passed as an argument should be treated as a JAR file regardless of the file extension or the output of the Linux ‘file’ command.”