A RAT malware campaign attempts to avoid detection by using polyglot file

To evade security tools detection, StrRAT and Ratty operators are running a new campaign that uses polyglot MSI/JAR (and CAB/JAR) files.

spotted the campaign and reported that threat actors have moderate success in getting past anti-virus engines. It is remarkable considering the history and documented nature of these RATs.

The polyglot file is a combination of multiple file types in an easy-to-understand way. It can be opened by many different programs without any errors.

For several years, threat actors have used polyglot files for hiding malicious code and to confuse security systems, bypassing protections, and many other purposes.

We reported recently about the , which targets Outlook and Thunderbird accounts.

Microsoft has made efforts to fix the issue by creating a signature-based detection method. However, there are can bypass this protection. Polyglot files will continue to be used to malicious ends.

Campaign for RAT Polyglot

A notable example of usage from 2018 and what Deep Instinct also observed during the most recent RAT distribution campaign is the merging of JAR/MSI formats in a single file.

JAR files can be identified by an end record as archives. MSI file types identifiers are a magic header at the start of each file. This allows threat actors to combine both formats in one file.

These files can be run as both an MSI on Windows or as JAR files by the Java Runtime.

Anti-virus software doesn’t check JARs as they aren’t executables. This allows them to conceal malicious code and fool the anti-virus tools into scanning the MSI portion of the file. It should then come back clean.

Deep Instinct observed that CAB/JAR combinations were more common than MSI when dealing with the same two families of RATs. Because they also have a magic header that allows file type interpretation, CABs make good polyglot candidates.

This campaign uses Sendgrid to distribute the polyglots, and URL shortening service like Cutt.ly or Rebrand.ly to link them. The fetched StrRAT/Ratty payloads are kept in Discord.

The detection rate of the CAB/JAR Polyglots is six out of 59 engines. However, 30 security vendors can identify the MSI/JAR Polyglots. The detection rate is between 10% to 50%.

Deep Instinct reported that many of the polyglots analyzed for StrRAT and Ratty have the same C2 address, and they are both hosted by the same Bulgarian host company.

It is possible for both strains to be used by one operator in the same campaign.