Recently, researchers at SecurityInBits released an analysis detailing a new technique used by Java RAT operators to bypass Authenticode checks and cause malware to appear to be a digitally signed and trusted file. Due to how file type is checked using file/certificate checking utilities (files are read top to bottom), and how a JAR file functions (like a zip, bottom to top), malicious JAR files can be appended to the end of a legitimate signed MSI file and renamed to end in the .JAR extension. According to cert checking utilities, along with tools like “file”, the MSI file’s signature is still signed and valid, and so most tools will detect this file as a legitimate file. Because of how JAR files are read/executed (bottom to top), the .MSI file never gets a chance to run as the very first executed file is the JAR file content at the bottom of the MSI file. However, this method can be used quite successfully to bypass Authenticode and other protective measures that depend on code-signing.
Analyst Notes
Using 24/7 monitoring of Endpoint Detection and Response (EDR) tools, analysts should look out for instances where file headers in the file do not match the chosen extension. In this case, be on the lookout for .MSI files that are using the extension .JAR. This may be indicative of this technique and should be unusual enough in any environment to stand out if analysts are watching for it.
Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI – CVE-2020-1464
