Cyble – New Java-Based Sayler RAT Targets Polish Speaking Users

Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) came across a Java Archive (JAR) file on VirusTotal with zero detection, and subsequent analysis revealed that it is a Remote Access Trojan (RAT) identified as “Sayler.”
• Our analysis indicates that the Sayler RAT is intentionally designed to target Polish language users.
• Sayler RAT comprises malicious features, including a Keylogger, Information Stealer, Screen Capture, Ransomware, and additional functions.
• The Threat Actor (TA) employs a socket connection to facilitate communication between the client and server, enabling various functions such as data exchange, remote control access, and others.
• The RAT includes Server GUI code and utilizes Discord for exfiltration.

Overview

On October 25th, CRIL came across an undetected Java Archive (JAR) file named “Java.jar” on VirusTotal. Upon investigation, it was determined that the JAR file is a new Remote Access Trojan named “Sayler.”

Sayler RAT is designed to provide covert remote access and control over a targeted computer. This RAT is stealthily installed on a system, giving the attacker the means to execute a range of unauthorized actions. These actions encompass taking control of the victim’s desktop, stealing sensitive data, capturing the screen, monitoring keystrokes, and even engaging in activities such as carrying out Ransomware attacks.

Upon further analysis, it becomes evident that numerous strings within the malware file are written in Polish. Additionally, the package name “pl.sayler” in the code also coincides with the two-letter country code “pl” for Poland. Furthermore, it’s worth noting that the file was submitted to VirusTotal from Poland. In conjunction, these factors strongly suggest that the JAR file may be designed for use in a campaign targeting Polish users.

Initial Infection

The origin of the Sayler RAT’s initial infection is unknown. The malware may infiltrate a user’s system through channels such as spam emails or deceptive phishing websites.

Technical Analysis

We have taken a Java Archive file named “Java.jar,” which has a size of 12.57 MB, for analysis.

The main class within the file is “pl.sayler.site.client.Client.” Inside this class, a main method is present, which internally invokes another method named “Client” with the parameters “host” and “port,” as illustrated in the figure below. This is likely intended to set up a communication channel with a remote server that is controlled by the attacker, serving purposes such as data exchange, remote access, and more.

Settings

The figure below shows the Java class “Settings,” which contains various configuration settings of the malware. Notable settings include a Discord webhook URL for sending notifications, a file path for a keylogger, path for the file named “blocked” (this file is used to determine the computer’s state, indicating whether it is ‘blocked’ or ‘unblocked’), a version number, and options to enable or disable sound and menu notifications, as well as specifying whether packet communication should be asynchronous or synchronous.

Main Method

Upon execution of the .jar file, the main method invokes the Client() method with the arguments “host” and “port.” This method performs the main functionalities of the malware, as illustrated in the provided code snippet below.

The Client() method first calls the registerGlobalScreenListeners() function, which sets up global input event listeners for keyboard and mouse events using the GlobalScreen library. These listeners capture low-level keyboard and mouse input events, allowing for the recording and handling of these events, typically for further processing or logging.https://) and ensuring the accurate spelling of domain names.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Related

Source: https://cyble.com/blog/new-java-based-sayler-rat-targets-polish-speaking-users/