Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums.

In June 2020, a new variant of Ratty was found to be exploiting a spoofing vulnerability (CVE-2020-1464) discovered in 2018 security researchers, which was exploited by threat actors for two years. The vulnerability allowed an attacker to take a clean MSI file, which is digitally signed from Microsoft, Google etc. and append a malicious JAR file to it, without impacting or changing the signature of the file.

Techniques Used

Domain ID Name Use
Enterprise VT0036 Exploitation for Defense Evasion

Ratty 2020 variant exploited a spoofing vulnerability (CVE-2020-1464) in Windows which allowed to append a malicious JAR file to a clean MSI file signed from Microsoft or Google, without impacting or changing the digital signature.

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

Ratty uses a spoofing vulnerability (CVE-2020-1464) in Windows to distribute malicious files that are signed by Microsoft, Google, etc. and appear legitimate.

Attachments

ID
VS0015
Type
MALWARE

Created: 09 May 2021

Last Modified: 09 May 2021