RAT malware campaign tries to evade detection using polyglot files

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/rat-malware-campaign-tries-to-evade-detection-using-polyglot-files/

Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.

The campaign was spotted by Deep Instinct, which reports that the threat actors achieve moderate success in evading detection by anti-virus engines. This is notable considering how old and well-documented the two particular RATs are.

Polyglot files combine two or more file formats in a way that makes it possible for them to be interpreted and launched by multiple different applications without error.

One notable case that has been employed since 2018, which is also what Deep Instinct observed in the latest RAT distribution campaign, is the combination of JAR and MSI formats into a single file.

JAR files are archives identified as such by a record at their end, while in MSI, the file type identifier is a “magic header” at the beginning of the file, so threat actors can easily combine the two formats into a single file. This dual format allows them to be executed as an MSI in Windows and also executed as a JAR file by the Java runtime.

RAT malware campaign tries to evade detection using polyglot files

Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.

www.bleepingcomputer.com