The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
StrRAT e Ratty are being distributed as polyglots or JAR files. Deep Instinct cybersecurity experts: Victims receive a file, the malware, that is both a valid MSI and a valid JAR
StrRAT e Ratty have been distributed in 2022 as polyglots or as JAR files with junk appended in the beginning. Deep Instinct cybersecurity experts discovered it. A polyglot file is created by combining two or more file formats together in such a way that each format can be interpreted individually without an error. JAR files are ZIP archives, identified by the presence of an end-of-central directory record which is located at the end of the archive. This means that any “junk” appended in the beginning of the file will be ignored and the archive is still valid. Other file formats have a special magic header at the beginning of the file, and they should be read from the start, unlike JAR. One of these formats is MSI. If those two are combined, victims receive a file that is both a valid MSI and a valid JAR: In the case of the SrtRAT e Ratty campaigns, the malware.