Polyglot Malware: The New Stealth Technique for Cybercriminals

Cybercriminals are using a new technique called “polyglot files” to evade detection and distribute malware. These files are designed to look like multiple file formats at once, making it difficult for security software to identify and block them. Researchers at cybersecurity firm Deep Instinct have uncovered multiple campaigns using this technique, including the distribution of remote access trojans StrRAT and Ratty.

One campaign involves the use of JAR and MSI formats, which are both valid as a JAR file and an MSI installer. This means that the file can be executed by both Windows and Java Runtime Environment (JRE) based on how it’s interpreted. This makes it difficult for security solutions to properly validate the JAR file format and detect malicious content.

Another instance involves the use of CAB and JAR polyglots to deliver both Ratty and StrRAT. The artifacts are propagated using URL shortening services such as cutt.ly and rebrand.ly, with some of them hosted on Discord. This makes it difficult for security solutions to detect malicious files, as they can easily bypass security software and stay undetected until they are executed on the compromised hosts.

“What’s special about ZIP files is that they’re identified by the presence of an end of central directory record which is located at the end of the archive,” Kenin explained. “This means that any ‘junk’ we append at the beginning of the file will be ignored and the archive is still valid.”

The lack of adequate validation of the JAR files results in a scenario where malicious appended content can bypass security software and stay undetected until they are executed on the compromised hosts. This is not the first time such malware-laced polyglots have been detected in the wild. In November 2022, Berlin-based DCSO Cytec unearthed an information stealer dubbed StrelaStealer that’s spread as a DLL/HTML polyglot.

To combat this technique, security experts recommend monitoring both “java” and “javaw” processes and treating files passed as arguments as JAR files, regardless of the file extension or the output of the Linux ‘file’ command. This will help security solutions to properly validate the JAR file format and detect malicious content.

In addition, it is essential to keep your security software updated and use a reputable anti-virus and anti-malware solution. The use of firewalls and intrusion detection systems can also help to detect and prevent malicious traffic from entering your network. It is also important to be aware of the dangers of clicking on suspicious links or opening suspicious attachments, even if they appear to come from a trusted source.

In conclusion, the use of polyglot files is a new technique used by cybercriminals to evade detection and distribute malware. Security solutions need to properly validate the JAR file format and detect the malicious content by monitoring both the “java” and “javaw” processes and treating files passed as arguments as JAR files, regardless of the file extension or the output of the Linux ‘file’ command. To stay safe and secure, it is essential to keep your security software updated, use a reputable anti-virus and anti-malware solution, and be aware of the dangers of clicking on suspicious links or opening suspicious attachments.

Leave a Comment

Your email address will not be published. Required fields are marked *