Malicious campaign for the spread of Trojans Strrat and Ratty I discovered ib companies Deep Instinct. Experts note that despite the widespread fame of these two malicious ones, their operators learned to bypass some antivirus systems.
Polyglth files combine two or more formats in such a way that they can start different applications without errors. For several years, hackers have been using this feature, hiding with its help malicious code and confusing the protection means.
According to the researchers of Deep Instinct, since 2018, attackers often use the tactics of combining Jar and MSI formats in one file. Jar files are archives identified at the end of the file. In the MSI files to identify the file type, the “Magic Header” is used at the beginning of the file, which allows you to use two formats at once in one file. This gives several advantages:
Such files can be executed as MSI in Windows and as JAR files in the Java;
jar files are not executable files, so they are not so carefully checked by antiviruses. This allows attackers to hide the malicious code in them, thereby deceiving the antivirus that scans the clean MSI part of the file.
In addition, sometimes attackers combine jar and CAB files, since the latter also have a “Magic Header”.
To spread trojanized polyglot files, hackers use Sendgrid and short link services, such as Cutt.ly and Rebrand.ly. The beneficial loads Strrat and Ratty are stored in Discord and at the Belgarsky hosting Belcloud.