Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) came across a ZIP archive file on VirusTotal with minimal detection. Further analysis of this file revealed the presence of a new Java-based Remote Access Trojan (RAT) embedded within the same archive.
- The ZIP archive includes a shortcut (.lnk) file. When executed, it triggers a JavaScript to initiate the execution of a malicious JAR, which is identified as “Saw RAT.”
- Saw RAT comprises multiple functionalities, including the collection of system information, transferring files, listing directories, executing arbitrary commands, and more.
- The Threat Actors (TA) utilizes a socket connection to facilitate communications between the server and client, facilitating various functions such as data exchange, remote control access, and other operations.
- The TAs responsible for this Saw RAT and its targeted victims are currently unknown.
Overview
On November 22nd, CRIL came across a ZIP archive file on VirusTotal. Upon analysis, it was observed that the ZIP file contains a shortcut file (.lnk) with an Adobe icon, initiating the execution of a new Java-based RAT that is concealed within the cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- The initial infection occurs via spam emails or deceptive websites. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of malicious attachments and to only download and install software applications from reputable and trusted sources.
- Consider disabling or limiting the execution of scripting languages, such as PowerShell or JavaScript, on user workstations and servers if they are not essential for legitimate purposes.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
- Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) |
cmd.exe is used to run commands such as copy, start, and others. |
| Execution (TA0002) | Command and Scripting Interpreter: JavaScript (T1059.007) |
Uses JavaScript file to open decoy PDF and run the malicious JAR file. |
| Defense Evasion (TA0005) | Data Encoding (T1132.001) |
The malware may receive a command from the server encoded in Base64, which it subsequently decodes for execution. |
| Discovery (TA0007) | System Information Discovery (T1082) |
The malware gathers system information such as OS name, username, etc. |
| Discovery (TA0007) | File and Directory Discovery (T1083) |
Enumerate files and folders to get a list of directories. |
| Collection (TA0009) |
Data from Local System (T1005) |
Tries to gather information from client system. |
| C&C (TA0011) |
Non-Application Layer Protocol (T1071) |
Using sockets for network communication. |
Indicators Of Compromise
| Indicators | Indicator Type |
Description |
| 13c01534896246365dbbb625d8dbcbf4 23a10d0d057dbaa919aaa7b55fc41c64de440fbc 7ae348cfe0954e1f1fa90259519d8fed4da5507ba206e99f704ddbb0634e7e57 |
Md5 Sha1 Sha256 |
files.zip |
| 9acd010a980719f738ce561ccb127384 6817f846408bc55d68ccc6b52b61afd9f4cfaa3e afe98e350b2c37e1213ace09cc18fdb1c654fa6651dbb98b2a5b364db8708b29 |
Md5 Sha1 Sha256 |
welfare_ inititatives.lnk |
| 15957e06aead7d907972842d803f6471 66bb5a01bccaaa85382e32f5accc5a1437abae7a 614741ce1bd8ac8afc25eac95df2e6e4709551d46e6bc26281bf2d1aa44e94d9 |
Md5 Sha1 Sha256 |
jpackage.jar |
| 144[.]91[.]112[.]130: 6023 | IP: Port | C&C |
Source: https://cyble.com/blog/uncovering-the-new-java-based-saw-rats-infiltration-strategy-via-lnk-files/