Security News > 2023 > January > RAT malware campaign tries to evade detection using polyglot files

RAT malware campaign tries to evade detection using polyglot files
2023-01-12 22:24

Operators of the StrRAT and Ratty remote access trojans are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.

Polyglot files combine two or more file formats in a way that makes it possible for them to be interpreted and launched by multiple different applications without error.

Threat actors have been using polyglot files to hide malicious code, confuse security solutions, and bypass protections for several years now.

Despite Microsoft's efforts to address the problem by implementing a signature-based detection system, there are ways to bypass this protection, so polyglot files continue to be used for malicious purposes.

One notable case that has been employed since 2018, which is also what Deep Instinct observed in the latest RAT distribution campaign, is the combination of JAR and MSI formats into a single file.

JAR files are archives identified as such by a record at their end, while in MSI, the file type identifier is a "Magic header" at the beginning of the file, so threat actors can easily combine the two formats into a single file.


News URL

https://www.bleepingcomputer.com/news/security/rat-malware-campaign-tries-to-evade-detection-using-polyglot-files/