Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.
The campaign was spotted by Deep Instinct, which reports that the threat actors achieve moderate success in evading detection by anti-virus engines. This is notable considering how old and well-documented the two particular RATs are.
Polyglot files combine two or more file formats in a way that makes it possible for them to be interpreted and launched by multiple different applications without error.
Threat actors have been using polyglot files to hide malicious code, confuse security solutions, and bypass protections for several years now.
Most recently, we reported about this technique being employed by the StrelaStealer malware that targets Outlook and Thunderbird accounts.
Despite Microsoft’s efforts to address the problem by implementing a signature-based detection system, there are ways to bypass this protection, so polyglot files continue to be used for malicious purposes.
RAT polyglot campaign
One notable case that has been employed since 2018, which is also what Deep Instinct observed in the latest RAT distribution campaign, is the combination of JAR and MSI formats into a single file.
JAR files are archives identified as such by a record at their end, while in MSI, the file type identifier is a “magic header” at the beginning of the file, so threat actors can easily combine the two formats into a single file.
This dual format allows them to be executed as an MSI in Windows and also executed as a JAR file by the Java runtime.
JARs are not executables, so they’re not as vigorously checked by anti-virus tools. Unfortunately, this allows them to hide malicious code and trick the AV into scanning the MSI part of the file, which should come out clean.
Deep Instinct noticed CAB/JAR combinations instead of MSI in other cases involving the same two RAT families. CABs are also good candidates for polyglot combinations with JARs because they, too, feature a magic header for file type interpretation.
The polyglots used in this campaign are spread by Sendgrid and URL shortening services like Cutt.ly and Rebrand.ly, while the fetched StrRAT and Ratty payloads are stored in Discord.
In terms of detection, the CAB/JAR polyglots return six positives out of 59 AV engines on Virus Total, while 30 security vendors identify the MSI/JAR polyglots. Hence, the detection rate ranges between 10% and 50%.
Deep Instinct reports that many of the examined polyglots for both StrRAT and Ratty use the same C2 address and are hosted by the same Bulgarian hosting firm.
Hence, it’s possible that both strains are used in a single campaign run by the same operator.
