Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar

Jan 13, 2023Ravie LakshmananCyber Threat / Malware Detection

Remote access trojans such as StrRAT and Ratty are being
distributed as a combination of polyglot and malicious Java archive
(JAR ^[1]) files, once again
highlighting how threat actors are continuously finding new ways to
fly under the radar.

“Attackers now use the polyglot technique to confuse security
solutions that don’t properly validate the JAR file format,” Deep
Instinct security researcher Simon Kenin said ^[2]
in a report.

Polyglot files ^[3]
are files that combine syntax from two or more different formats in
a manner such that each format can be parsed without raising any
error.

One such 2022 campaign spotted by the cybersecurity firm is the
use of JAR and MSI formats – i.e., a file that’s valid both as a
JAR and an MSI installer – to deploy the StrRAT payload. This also
means that the file can be executed by both Windows and Java
Runtime Environment (JRE) based on how it’s interpreted.

Another instance involves the use of CAB and JAR polyglots to
deliver both Ratty and StrRAT. The artifacts are propagated using
URL shortening services such as cutt.ly and rebrand.ly, with some
of them hosted on Discord.

“What’s special about ZIP files is that they’re identified by
the presence of an end of central directory record ^[4] which is located at the
end of the archive,” Kenin explained. “This means that any ‘junk’
we append in the beginning of the file will be ignored and the
archive is still valid.”

The lack of adequate validation of the JAR files results in a
scenario where malicious appended content can bypass security
software and stay undetected until they are executed on the
compromised hosts.

This is not the first time such malware-laced polyglots have
been detected in the wild. In November 2022, Berlin-based DCSO
CyTec unearthed an information stealer dubbed StrelaStealer ^[5]
that’s spread as a DLL/HTML polyglot.

“The proper detection for JAR files should be both static and
dynamic,” Kenin said. “It’s inefficient to scan every file for the
presence of an end of central directory record at the end of the
file.”

“Defenders should monitor both ‘java’ and ‘javaw’ processes. If
such a process has ‘-jar’ as an argument the filename passed as an
argument should be treated as a JAR file regardless of the file
extension or the output of the Linux ‘file’ command.”

Found this article interesting? Follow us on Twitter ^[6]
and LinkedIn ^[7]
to read more exclusive content we post.

References

^{^}
JAR
(en.wikipedia.org)
^{^}
said
(www.deepinstinct.com)
^{^}
Polyglot
files (en.wikipedia.org)
^{^}
end of
central directory record (en.wikipedia.org)
^{^}
StrelaStealer
(medium.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)