CRIL identified a new Java-based RAT embedded in a ZIP file found on VirusTotal, triggered via a LNK file. The malware, named Saw RAT, offers multiple capabilities and communicates over a socket-based C2 channel; the threat actors and victims remain unknown. #SawRAT #LNKFiles #JavaRAT #CRIL #Cyble #VirusTotal
Keypoints
- CRIL found a ZIP archive on VirusTotal with minimal detection, containing a Java-based RAT inside.
- A shortcut (.lnk) file in the ZIP triggers a JavaScript to start the malicious JAR, identified as “Saw RAT.”
- Saw RAT provides features such as system information collection, file transfer, directory listing, and arbitrary command execution.
- The threat actors use a socket-based C2 channel to enable data exchange and remote control functions.
- The specific threat actors and the targeted victims are currently unknown.
- Defensive guidance includes email filtering, limiting scripting languages, antivirus, network monitoring, strong passwords with 2FA, and regular backups.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter – Windows Command Shell – cmd.exe is used to run commands such as copy, start, and others. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1059.007] Command and Scripting Interpreter: JavaScript – Uses JavaScript file to open decoy PDF and run the malicious JAR file. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1132.001] Data Encoding – Base64 – The malware may receive a command from the server encoded in Base64, which it subsequently decodes for execution. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1082] System Information Discovery – The malware gathers system information such as OS name, username, etc. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1083] File and Directory Discovery – Enumerate files and folders to get a list of directories. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1005] Data from Local System – Tries to gather information from client system. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1071] Non-Application Layer Protocol – Using sockets for network communication. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [File Name] context – files.zip, welfare_initiatives.lnk, and jpackage.jar
- [Hash] MD5 context – 13c01534896246365dbbb625d8dbcbf4, 9acd010a980719f738ce561ccb127384, and 15957e06aead7d907972842d803f6471
- [Hash] SHA1 context – 23a10d0d057dbaa919aaa7b55fc41c64de440fbc, 6817f846408bc55d68ccc6b52b61afd9f4cfaa3e
- [Hash] SHA256 context – 7ae348cfe0954e1f1fa90259519d8fed4da5507ba206e99f704ddbb0634e7e57, afe98e350b2c37e1213ace09cc18fdb1c654fa6651dbb98b2a5b364db8708b29
- [IP] C2 – 144.91.112.130:6023
Read more: https://cyble.com/blog/uncovering-the-new-java-based-saw-rats-infiltration-strategy-via-lnk-files/