Recently, researchers at SecurityInBits released an analysis detailing a new technique used by Java RAT operators to bypass Authenticode checks and cause malware to appear to be a digitally signed and trusted file. Due to how file type is checked using file/certificate checking utilities (files are read top to bottom), and how a JAR file functions (like a zip, bottom to top), malicious JAR files can be appended to the end of a legitimate signed MSI file and renamed to end in the .JAR extension. According to cert checking utilities, along with tools like “file”, the MSI file’s signature is still signed and valid, and so most tools will detect this file as a legitimate file. Because of how JAR files are read/executed (bottom to top), the .MSI file never gets a chance to run as the very first executed file is the JAR file content at the bottom of the MSI file. However, this method can be used quite successfully to bypass Authenticode and other protective measures that depend on code-signing.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in