Threat actors have been leveraging polyglot and malicious Java archive files to distribute the StrRAT and Ratty remote access trojans to evade detection by security solutions, The Hacker News reports.
Deep Instinct researchers discovered that the StrRAT payload has been deployed in a campaign leveraging both JAR and MSI file formats, indicating potential execution via Windows and Java Runtime Environments.
Meanwhile, a separate campaign involved the deployment of StrRAT and Ratty using the CAB and JAR polyglots, with URL shortening services rebrand.ly and cutt.ly leveraged to spread the artifacts, according to the report.
"The proper detection for JAR files should be both static and dynamic. It's inefficient to scan every file for the presence of an end of central directory record at the end of the file. Defenders should monitor both 'java' and 'javaw' processes. If such a process has '-jar' as an argument the filename passed as an argument should be treated as a JAR file regardless of the file extension or the output of the Linux 'file' command," said security researcher Simon Kenin.