RAT malware campaign tries to evade detection using polyglot files

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,072
Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.

The campaign was spotted by Deep Instinct, which reports that the threat actors achieve moderate success in evading detection by anti-virus engines. This is notable considering how old and well-documented the two particular RATs are.

Polyglot files combine two or more file formats in a way that makes it possible for them to be interpreted and launched by multiple different applications without error.
One notable case that has been employed since 2018, which is also what Deep Instinct observed in the latest RAT distribution campaign, is the combination of JAR and MSI formats into a single file.

JAR files are archives identified as such by a record at their end, while in MSI, the file type identifier is a “magic header” at the beginning of the file, so threat actors can easily combine the two formats into a single file. This dual format allows them to be executed as an MSI in Windows and also executed as a JAR file by the Java runtime.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top