Threat Management

Stealthy malware distribution involves polyglot files

Threat actors have been leveraging polyglot and malicious Java archive files to distribute the StrRAT and Ratty remote access trojans to evade detection by security solutions, The Hacker News reports. Deep Instinct researchers discovered that the StrRAT payload has been deployed in a campaign leveraging both JAR and MSI file formats, indicating potential execution via Windows and Java Runtime Environments. Meanwhile, a separate campaign involved the deployment of StrRAT and Ratty using the CAB and JAR polyglots, with URL shortening services and leveraged to spread the artifacts, according to the report. "The proper detection for JAR files should be both static and dynamic. It's inefficient to scan every file for the presence of an end of central directory record at the end of the file. Defenders should monitor both 'java' and 'javaw' processes. If such a process has '-jar' as an argument the filename passed as an argument should be treated as a JAR file regardless of the file extension or the output of the Linux 'file' command," said security researcher Simon Kenin.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.