Cyble Research and Intelligence Labs identified a Java RAT named Sayler, detected as a zero-detection JAR on VirusTotal, which targets Polish-speaking users and includes features like keylogging, information theft, screen capture, ransomware, and more, using a socket-based C2 channel and Discord for exfiltration. The malware embeds Polish strings and a pl.sayler package, suggesting targeted campaigns from Poland.
#SaylerRAT #Poland
#SaylerRAT #Poland
Keypoints
- The Sayler RAT was found as a Java Archive (JAR) on VirusTotal with no detections.
- It appears specifically designed to target Polish-language users, as indicated by Polish strings and the package name pl.sayler.
- Sayler includes capabilities such as keylogging, information stealing, screen capture, ransomware, and other functions.
- Communication relies on a socket-based client/server model to enable data exchange and remote control.
- The RAT contains Server GUI code and uses Discord for data exfiltration/notifications.
- Initial infection likely via phishing or spam, though the exact vector is unknown.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter β Windows Command Shell β cmd.exe is used to run commands like taskkill. (βcmd.exe is used to run commands like taskkill.β)
- [T1547.001] Persistence β Registry Run Keys / Startup Folder β Drops copy of the malware file to the %appdata% folder and adds Run registry entry. (βDrops copy of the malware file to the %appdata% folder and adds Run registry entry.β)
- [T1562.001] Defense Evasion β Disable or Modify Tools β The malware kills the Task manager and registry editor processes. (βThe malware kills the Task manager and registry editor processes.β)
- [T1112] Modify Registry β Modifying Windows registry. (βModifying Windows registry.β)
- [T1003] OS Credential Dumping β Credential Access β Tries to harvest and steal browser information. (βTries to harvest and steal browser information.β)
- [T1057] Process Discovery β Discovery β Queries a list of all running processes. (βQueries a list of all running processes.β)
- [T1082] System Information Discovery β Discovery β The malware gathers system information through various methods. (βThe malware gathers system information through various methods.β)
- [T1083] File and Directory Discovery β Discovery β Enumerate files and folders for ransomware encryption. (βEnumerate files and folders for ransomware encryption.β)
- [T1005] Data from Local System β Collection β Tries to harvest and steal browser information. (βTries to harvest and steal browser information.β)
- [T1071] Non-Application Layer Protocol β C2 β Using sockets for network communication. (βUsing sockets for network communication.β)
- [T1112] (Additional) Screen Capture β Collection/Impact β Screen capture functionality observed within the Sayler RAT. (βScreen Capture functionality observed as part of Sayler.β)
- [T1056.001] Input Capture β Keylogging β Global input listeners capture keyboard/mouse events. (βsets up global input event listeners for keyboard and mouse events using the GlobalScreen library.β)β
Indicators of Compromise
- [File Hash] Java.jar β MD5: 3a285221a2ee58369c4d39d2ee508b3d; SHA1: d04754ca5c9853d4f5688ddafd76b125306dd01b; SHA256: ad79376aa24df8dab799d4fb4c5d0c913fda03bfea65cbd80923a5919bb1e9b9
- [File Hash] BlazeXHack.jar β MD5: 9f36aa7edd5e1f19b541f209386bc7ea; SHA1: ed51900e5b6bb58c116236aff1ed3dec4440702b; SHA256: 1349f1ac1da22cb2f2251a7e26dbc1e8716504c76d623d800e96295b8cdd00eb
- [File Name] Java.jar and BlazeXHack.jar β Observed in the same analysis context as Sayler RAT artifacts
Read more: https://cyble.com/blog/new-java-based-sayler-rat-targets-polish-speaking-users/