urlscan.io logo urlscan.io
SecurityTrails logo

www.bleepingcomputer.com Open in urlscan Pro
104.20.60.209  Public Scan

Back to summary
Submitted URL: https://ejyazl.clicks.mlsend.com/te/cl/eyJ2Ijoie1wiYVwiOjEwOTEyMSxcImxcIjo3NzU2MzI5NTgwMzkwMDk1NCxcInJcIjo3NzU2MzMxMTgwMDk3NjQ2N3...
Effective URL: https://www.bleepingcomputer.com/news/security/rat-malware-campaign-tries-to-evade-detection-using-polyglot-files/?utm_source=new...
Submission: On January 17 via manual from US — Scanned from DE

Form analysis 4 forms found in the DOM

https://www.bleepingcomputer.com/search/

<form title="Search site" action="https://www.bleepingcomputer.com/search/">
  <input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
  <input type="hidden" name="cof" value="FORID:10">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>

https://www.bleepingcomputer.com/search/

<form action="https://www.bleepingcomputer.com/search/">
  <input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
  <input type="hidden" name="cof" value="FORID:10">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>

POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/rat-malware-campaign-tries-to-evade-detection-using-polyglot-files/

<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&amp;module=global&amp;section=login&amp;do=process&amp;return=https://www.bleepingcomputer.com/news/security/rat-malware-campaign-tries-to-evade-detection-using-polyglot-files/"
  method="post">
  <div class="bc_form_feild">
    <label for="ips_username">Username</label>
    <input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" spellcheck="false" autocomplete="username">
  </div>
  <div class="bc_form_feild">
    <label for="ips_password">Password</label>
    <input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" spellcheck="false" autocomplete="current-password">
  </div>
  <div class="bc_form_feild">
    <div class="bc_remember">
      <input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
      <label for="remember">Remember Me</label>
    </div>
    <div class="bc_anon">
      <input id="anonymous" type="checkbox" name="anonymous" value="1">
      <label for="anonymous">Sign in anonymously</label>
    </div>
  </div>
  <div class="bc_btn_wrap">
    <input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
    <input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
    <a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&amp;module=global&amp;section=login&amp;serviceClick=twitter&amp;return=https://www.bleepingcomputer.com/news/security/rat-malware-campaign-tries-to-evade-detection-using-polyglot-files/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
    <hr>
    <p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&amp;module=global&amp;section=register">Register Now</a></p>
  </div>
</form>

<form>
  <input type="hidden" id="comment-id-report" value="0">
  <ul>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
    </li>
    <li>
      <label><input type="radio" name="comment-report-reason" value="Other">Other</label>
    </li>
    <li id="comment-report-other-reason-wrap" style="display:none;">
      <textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
    </li>
  </ul>
  <p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>

Text Content

WE VALUE YOUR PRIVACY

We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.

With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences at
any time by returning to this site or visit our privacy policy.

MORE OPTIONSAGREE
 * 
 * 
 * 
 * 



 * 
 * 
 * 
 * 



 * News
    * Featured
    * Latest
   
    * Datadog rotates RPM signing key exposed in CircleCI hack
   
    * Malicious ‘Lolip0p’ PyPi packages install info-stealing malware
   
    * Avast releases free BianLian ransomware decryptor
   
    * Microsoft script recreates shortcuts deleted by bad Defender ASR rule
   
    * IT Burnout may be Putting Your Organization at Risk
   
    * Nissan North America data breach caused by vendor-exposed database
   
    * Spice up remote meetings with this evolved video chat platform deal
   
    * Researchers to release PoC exploit for critical Zoho RCE bug, patch now

 * Downloads
    * Latest
    * Most Downloaded
   
    * Qualys BrowserCheck
   
    * STOPDecrypter
   
    * AuroraDecrypter
   
    * FilesLockerDecrypter
   
    * AdwCleaner
   
    * ComboFix
   
    * RKill
   
    * Junkware Removal Tool

 * Virus Removal Guides
    * Latest
    * Most Viewed
    * Ransomware
   
    * Remove the Theonlinesearch.com Search Redirect
   
    * Remove the Smartwebfinder.com Search Redirect
   
    * How to remove the PBlock+ adware browser extension
   
    * Remove the Toksearches.xyz Search Redirect
   
    * Remove Security Tool and SecurityTool (Uninstall Guide)
   
    * How to remove Antivirus 2009 (Uninstall Instructions)
   
    * How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
   
    * How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
      TDSSKiller
   
    * Locky Ransomware Information, Help Guide, and FAQ
   
    * CryptoLocker Ransomware Information Guide and FAQ
   
    * CryptorBit and HowDecrypt Information Guide and FAQ
   
    * CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

 * Tutorials
    * Latest
    * Popular
   
    * How to open a Windows 11 Command Prompt as Administrator
   
    * How to make the Start menu full screen in Windows 10
   
    * How to install the Microsoft Visual C++ 2015 Runtime
   
    * How to open an elevated PowerShell Admin prompt in Windows 10
   
    * How to start Windows in Safe Mode
   
    * How to remove a Trojan, Virus, Worm, or other Malware
   
    * How to show hidden files in Windows 7
   
    * How to see hidden files in Windows

 * Deals
    * Categories
   
    * eLearning
   
    * IT Certification Courses
   
    * Gear + Gadgets
   
    * Security

 * Forums
 * More
   * Startup Database
   * Uninstall Database
   * Glossary
   * Chat on Discord
   * Send us a Tip!
   * Welcome Guide


 * Home
 * News
 * Security
 * RAT malware campaign tries to evade detection using polyglot files

 * AddThis Sharing Buttons
   Share to FacebookFacebookShare to TwitterTwitterShare to
   LinkedInLinkedInShare to RedditRedditShare to Hacker NewsHacker NewsShare to
   EmailEmail
 *  


RAT MALWARE CAMPAIGN TRIES TO EVADE DETECTION USING POLYGLOT FILES

By

BILL TOULAS

 * January 12, 2023
 * 05:24 PM
 * 0

Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new
campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from
security tools.

The campaign was spotted by Deep Instinct, which reports that the threat actors
achieve moderate success in evading detection by anti-virus engines. This is
notable considering how old and well-documented the two particular RATs are.



Polyglot files combine two or more file formats in a way that makes it possible
for them to be interpreted and launched by multiple different applications
without error.

1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE


PLAY Top Stories Video Settings Full Screen About Connatix V214768 Read More
Read More Read More Read More Read More Read More Nissan North America data
breach caused byvendor-exposed database

Threat actors have been using polyglot files to hide malicious code, confuse
security solutions, and bypass protections for several years now.

Most recently, we reported about this technique being employed by the
StrelaStealer malware that targets Outlook and Thunderbird accounts.

Despite Microsoft’s efforts to address the problem by implementing a
signature-based detection system, there are ways to bypass this protection, so
polyglot files continue to be used for malicious purposes.


RAT POLYGLOT CAMPAIGN

One notable case that has been employed since 2018, which is also what Deep
Instinct observed in the latest RAT distribution campaign, is the combination of
JAR and MSI formats into a single file.

JAR files are archives identified as such by a record at their end, while in
MSI, the file type identifier is a “magic header” at the beginning of the file,
so threat actors can easily combine the two formats into a single file.

This dual format allows them to be executed as an MSI in Windows and also
executed as a JAR file by the Java runtime.

JARs are not executables, so they’re not as vigorously checked by anti-virus
tools. Unfortunately, this allows them to hide malicious code and trick the AV
into scanning the MSI part of the file, which should come out clean.



Inspecting the MSI/JAR polyglot (Deep Instinct)

Deep Instinct noticed CAB/JAR combinations instead of MSI in other cases
involving the same two RAT families. CABs are also good candidates for polyglot
combinations with JARs because they, too, feature a magic header for file type
interpretation.

The polyglots used in this campaign are spread by Sendgrid and URL shortening
services like Cutt.ly and Rebrand.ly, while the fetched StrRAT and Ratty
payloads are stored in Discord.

In terms of detection, the CAB/JAR polyglots return six positives out of 59 AV
engines on Virus Total, while 30 security vendors identify the MSI/JAR
polyglots. Hence, the detection rate ranges between 10% and 50%.

MSI/JAR polyglot file missed by half AV engines (BleepingComputer)

Deep Instinct reports that many of the examined polyglots for both StrRAT and
Ratty use the same C2 address and are hosted by the same Bulgarian hosting firm.

 Hence, it’s possible that both strains are used in a single campaign run by the
same operator.


RELATED ARTICLES:

Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls

Hackers abuse Windows error reporting tool to deploy malware

BitRAT malware campaign uses stolen bank data for phishing

Hackers push fake Pokemon NFT game to take over Windows devices

Microsoft patches Windows zero-day used to drop ransomware


 * Java
 * Malware
 * MSI
 * Polyglot
 * RAT
 * Remote Access Trojan
 * Windows

 * Facebook
 * Twitter
 * LinkedIn

 * Email
 * 



BILL TOULAS

Bill Toulas is a technology writer and infosec news reporter with over a decade
of experience working on various online publications. An open source advocate
and Linux enthusiast, is currently finding pleasure in following hacks, malware
campaigns, and data breach incidents, as well as by exploring the intricate ways
through which tech is swiftly transforming our lives.
 * Previous Article
 * Next Article

POST A COMMENT COMMUNITY RULES

YOU NEED TO LOGIN IN ORDER TO POST A COMMENT

Not a member yet? Register Now


YOU MAY ALSO LIKE:


Popular Stories

 * Brave browser’s new Snowflake feature help bypass Tor blocks

 * Microsoft script recreates shortcuts deleted by bad Defender ASR rule





FOLLOW US:

 * 
 * 
 * 
 * 
 * 

MAIN SECTIONS

 * News
 * Downloads
 * Virus Removal Guides
 * Tutorials
 * Startup Database
 * Uninstall Database
 * Glossary

COMMUNITY

 * Forums
 * Forum Rules
 * Chat

USEFUL RESOURCES

 * Welcome Guide
 * Sitemap

COMPANY

 * About BleepingComputer
 * Contact Us
 * Send us a Tip!
 * Advertising
 * Write for BleepingComputer
 * Social & Feeds
 * Changelog

Terms of Use - Privacy Policy - Ethics Statement

Copyright @ 2003 - 2023 Bleeping Computer® LLC - All Rights Reserved



LOGIN

Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter

--------------------------------------------------------------------------------

Not a member yet? Register Now

REPORTER

HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?

 * Spam
 * Abusive or Harmful
 * Inappropriate content
 * Strong language
 * Other
 * 

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT