Rewterz Threat Alert – New Java-Based Saw RAT Emerges Using Infiltration Tactic via LNK Files – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have discovered a new Java-based remote access trojan (RAT) called Saw RAT with minimal detection by antivirus solutions. It possesses multiple capabilities, such as transferring files, harvesting system information, executing arbitrary commands, listing directories, and more.

A ZIP archive file was found on 22 November, which revealed a shortcut file (.lnk) with an Adobe icon. Clicking on it started the execution of the Saw RAT which is based on JavaScript and hidden in the Java Runtime Environment (JRE) directory included in the same archive file. The RAT is capable of establishing a connection with a remote server that allows the actor to send commands remotely to the compromised system. The main source of the maliciously crafted ZIP archive that contained the LNK file with the Adobe icon is not known yet. The PDF file used as a lure in the infection chain requires a password to open it, meaning that the password may have been shared with the victim in the phishing email.

When analyzed, researchers found that the ZIP file includes a folder with the name “a” and a shortcut file named “welfare_inititatives.lnk”. Inside the “a” folder is another subfolder named “jre” with a JavaScript file “jp.js”. This “jre” folder is a Java Runtime Environment directory containing numerous legitimate files and folders. However, a deceptive PDF file and a malicious JAR file stand out inside the folder.

When the “welfare_inititatives.lnk” file is executed, it triggers the command line operation that copies the archive from either the Downloads or Desktop location into the %temp% folder. Then it continues to extract the copied ZIP file inside the %temp% folder and initiates the execution of the JavaScript file. It opens the PDF file and starts executing the malicious JAR file by utilizing the Shell.Run command. It then prompts the user to enter the password that was probably given in the phishing email to open the PDF file to make it look legitimate.

The Saw RAT is a Java Archive file of 14KB and can carry out multiple operations without being detected by responding to the commands that are received from the command-and-control (C2) server. Some of these functionalities are harvesting information like operating system name, username, and hostname, retrieving a list of available drivers, enumerating the contents of a specific directory, sending specific files, capturing screenshots, and decoding Base64-encoded files that are received from the remote server.

It is notable that throughout the analysis, the C2 server remained inactive, resulting in no observable activities from the threat actor’s side. But if data is successfully exfiltrated, the attackers may perform several malicious activities to achieve their goals which could consist of financial motives, disruptive actions, and espionage.

The security analysts concluded, “Trojans pose a substantial risk to both individuals and organizations, posing serious threats to privacy, data security, and the overall integrity of computer systems. RATs employ various methods for propagation. In this case, TAs utilized a maliciously crafted ZIP archive file.”

Users are advised to adhere to best practices that can create the first line of defense against threat actors. Deploying strong email filtering systems to identify malicious attachments and links, disabling or limiting the execution or scripting languages, and overall enhancing the system security by using strong passwords for all accounts helps a lot in the long run against various emerging cyber threats.

Impact

• Sensitive Information Theft
• Unauthorized Access

Indicators of Compromise

MD5

• 13c01534896246365dbbb625d8dbcbf4
• 9acd010a980719f738ce561ccb127384
• 15957e06aead7d907972842d803f6471

SHA-256

• 7ae348cfe0954e1f1fa90259519d8fed4da5507ba206e99f704ddbb0634e7e57
• afe98e350b2c37e1213ace09cc18fdb1c654fa6651dbb98b2a5b364db8708b29
• 614741ce1bd8ac8afc25eac95df2e6e4709551d46e6bc26281bf2d1aa44e94d9

SHA-1

• 23a10d0d057dbaa919aaa7b55fc41c64de440fbc
• 6817f846408bc55d68ccc6b52b61afd9f4cfaa3e
• 66bb5a01bccaaa85382e32f5accc5a1437abae7a

IP

• 144.91.112.130

Remediation

• Block all threat indicators at your respective
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Consider disabling or limiting the execution of scripting languages, such as PowerShell or JavaScript, on user workstations and servers if possible.