Threat Research

Malicious JARs and Polyglot files: “Who do you think you JAR?” | Deep Instinct

Securonix

Deep Instinct details 2022 observations of polyglot files that combine malicious JARs with other formats to evade detection, focusing on MSI+JAR, CAB+JAR, and other appended variants tied to StrRAT and Ratty. The article also covers detection challenges, community tooling, and MITRE-aligned techniques observed in these campaigns. #StrRAT #Ratty #BelCloudLTD #donutz.ddns[.]net #DiscordCDN

Keypoints

  • Deep Instinct observed 2022 campaigns distributing polyglots that embed malicious JARs in various formats (MSI, CAB, HEX-augmented, binary junk) to bypass checks.
  • MSI+JAR polyglots were already discussed in 2018–2019, with CVE-2020-1464 later addressed, yet the technique persisted in 2022 to confuse security solutions.
  • StrRAT and Ratty were the primary RATs examined; Ratty configuration details were partially extracted by Deep Instinct and shared via GitHub.
  • Some samples used the Bulgarian hosting BelCloud LTD and shared a common C2 server, suggesting potential actor overlap or shared infrastructure.
  • Java’s disregard for file extensions enables execution of JARs even when extensions or file-type indicators are altered, complicating static checks.
  • The report highlights low VirusTotal detections for certain CAB+JAR polyglots and emphasizes the need for both static and dynamic detection methods.
  • MITRE ATT&CK mappings include Phishing: Spearphishing Link, Masquerading: Invalid Code Signature, Obfuscated Files: Binary Padding, and Web Service/C2 via Discord CDN for delivery and C2.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – “Attackers use URL shortening services that leads to the payload.” Rebrand[.]ly/afjlfvp
  • [T1036.001] Masquerading: Invalid Code Signature – “Attackers append a signed MSI file.” 85d8949119dad6215ae0a21261b037af
  • [T1027.001] Obfuscated Files or Information: Binary Padding – “Attackers append junk data at the beginning of the file causing “file” command to return a different file type.” cb17f27671c01cd27a6828faaac08239
  • [T1102] Web Service – “Attackers used Discord’s content delivery network (CDN) to deliver malware.” https://cdn[.]discordapp[.]com/attachments/938795529683480586/941658014962823208/Package_info[.]jar

Indicators of Compromise

  • [Domain] C2 domain – donutz.ddns[.]net
  • [URL] Delivery/observables – https://cdn[.]discordapp[.]com/attachments/938795529683480586/941658014962823208/Package_info[.]jar
  • [MD5] – 85d8949119dad6215ae0a21261b037af, cb17f27671c01cd27a6828faaac08239
  • [SHA256] – d51d269b62e55d4af8a4bd72dcf3c5115ad27fe5466640041c658c0325194451, 534a4b0e17723755dd8cbdcdec309004ef59c3dfacb87fac86da4548780d2f1b
  • [SHA256] – 19154b831614211de667c2aedd6a4b5b89d4bfc1e129eb402a6300ad2e156dcf
  • [Malware] StrRAT, Ratty
  • [Filename] Package_info.jar

Read more: https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint