"Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar"

Remote Access Trojans (RATs) such as StrRAT and Ratty are being delivered as a combination of polyglot and malicious Java archive (JAR) files, further demonstrating how threat actors are constantly discovering new ways to evade detection. Simon Kenin, a security researcher at Deep Instinct, stated that attackers currently use the polyglot method to confuse security systems that do not correctly validate the JAR file format. Polyglot files integrate syntax from two or more different formats in such a way that each format can be parsed without generating an error. One 2022 campaign observed by the cybersecurity company involved the use of JAR and MSI formats (i.e., a file that is valid as both a JAR and MSI installer) to deliver the StrRAT payload. Based on how it is interpreted, the file can be processed by both Windows and Java Runtime Environment (JRE). Another example involved using CAB and JAR polyglots to distribute both Ratty and StrRAT. This article continues to discuss the use of polyglot files to distribute malware in order to evade detection.

THN reports "Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar"