Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) came across a Java Archive (JAR) file on VirusTotal with zero detection, and subsequent analysis revealed that it is a Remote Access Trojan (RAT) identified as “Sayler.”
- Our analysis indicates that the Sayler RAT is intentionally designed to target Polish language users.
- Sayler RAT comprises malicious features, including a Keylogger, Information Stealer, Screen Capture, Ransomware, and additional functions.
- The Threat Actor (TA) employs a socket connection to facilitate communication between the client and server, enabling various functions such as data exchange, remote control access, and others.
- The RAT includes Server GUI code and utilizes Discord for exfiltration.
Overview
On October 25th, CRIL came across an undetected Java Archive (JAR) file named “Java.jar” on VirusTotal. Upon investigation, it was determined that the JAR file is a new Remote Access Trojan named “Sayler.”
Sayler RAT is designed to provide covert remote access and control over a targeted computer. This RAT is stealthily installed on a system, giving the attacker the means to execute a range of unauthorized actions. These actions encompass taking control of the victim’s desktop, stealing sensitive data, capturing the screen, monitoring keystrokes, and even engaging in activities such as carrying out Ransomware attacks.
Upon further analysis, it becomes evident that numerous strings within the malware file are written in Polish. Additionally, the package name “pl.sayler” in the code also coincides with the two-letter country code “pl” for Poland. Furthermore, it’s worth noting that the file was submitted to VirusTotal from Poland. In conjunction, these factors strongly suggest that the JAR file may be designed for use in a campaign targeting Polish users.
Initial Infection
The origin of the Sayler RAT’s initial infection is unknown. The malware may infiltrate a user’s system through channels such as spam emails or deceptive phishing websites.
Technical Analysis
We have taken a Java Archive file named “Java.jar,” which has a size of 12.57 MB, for analysis.
The main class within the file is “pl.sayler.site.client.Client.” Inside this class, a main method is present, which internally invokes another method named “Client” with the parameters “host” and “port,” as illustrated in the figure below. This is likely intended to set up a communication channel with a remote server that is controlled by the attacker, serving purposes such as data exchange, remote access, and more.
Settings
The figure below shows the Java class “Settings,” which contains various configuration settings of the malware. Notable settings include a Discord webhook URL for sending notifications, a file path for a keylogger, path for the file named “blocked” (this file is used to determine the computer’s state, indicating whether it is ‘blocked’ or ‘unblocked’), a version number, and options to enable or disable sound and menu notifications, as well as specifying whether packet communication should be asynchronous or synchronous.
Main Method
Upon execution of the .jar file, the main method invokes the Client() method with the arguments “host” and “port.” This method performs the main functionalities of the malware, as illustrated in the provided code snippet below.
The Client() method first calls the registerGlobalScreenListeners() function, which sets up global input event listeners for keyboard and mouse events using the GlobalScreen library. These listeners capture low-level keyboard and mouse input events, allowing for the recording and handling of these events, typically for further processing or logging. The code snippet for the registerGlobalScreenListeners() method is shown in the following figure.
Then, it invokes the checkComputerIsBlocked() method to determine the computer’s state. It checks the existence of a file named “blocked” within the RAT directory.
- If the file is found, the function returns true, indicating that the computer is considered “blocked.”
- Conversely, if the file is not present, the function returns false, signifying that the computer is not in a “blocked” state.
The result is then stored in the variable named computerBlocked.
Following the computer’s state check, the malware proceeds to set up multiple components, including the process killer, ransomware, screen capture, keylogger, and block computer mouse listener, as shown below.
Process Killer
The ProcessKiller class is designed to terminate specific processes (such as taskmgr.exe, regedit.exe, and SystemSettings.exe) on the computer, primarily aimed at blocking access to essential system tools. Terminating these processes is an attempt by the malware to avoid detection and interference, thereby making it more difficult for users to detect and eliminate them.
Initially, it sets the” killing” flag based on the result of the computerIsBlocked() method, which fetches its value from the computerBlocked variable. If the” killing” flag is true, it calls the start() method, which utilizes a timer-based approach to repeatedly attempt to terminate the specific processes until the “killing” flag is set to false. When the” killing” flag is False, it stops the termination operation by invoking the stop() method, as shown in the below code snippet figure.
Ransomware
The code defines a class called RansomWare, which is responsible for encryption and decryption of files. When the ransomware encrypts a file using the cryptFile() method, it essentially renames the original file by giving it a random name and appending a “.locked” extension. Subsequently, the encrypted file is moved to a new location within the ransomware directory. Notably, the code avoids encrypting files located within the ransomware directory itself. After encrypting a specified number of files, it saves the information of these encrypted files into a file within the ransomware directory.
Additionally, it provides functionality to decrypt files based on the saved information. The program can decrypt all files in the ransomware directory and delete the set of encrypted files. The RansomWare class in the provided code does not include logic for displaying a ransom note or for targeting specific file extensions for encryption. This implies that the code might be incomplete or not fully developed. The code snippet for the Ransomware class is shown in the below figure.
Screen Capture
The CaptureLiveScreen class captures the live screen of the computer at fixed intervals and sends the captured image data to a Client object. The screen capture process is conditional, based on the value of the capturing variable, which sets its value based on the computer’s state (which gets its value from the computerBlocked variable). The screen capture occurs in the background, and it’s initiated and controlled by the start() and stop() methods. The code snippet for the CaptureLiveScreen class is shown in the figure below.
KeyLogger
The class KeyLogger is designed to function as a keylogger, capturing and logging keystrokes on a computer system. It implements the NativeKeyListener interface, allowing it to monitor keyboard events. This class initializes instance variables, including the log file path, an enabled flag, and a reference to a Client object for potential data transmission. The constructor ensures the existence of the log file and a designated directory. When a key is pressed (as detected by the nativeKeyPressed method), the keylogger records it in the log file. The class also offers the ability to enable or disable the keylogger, send the log file to a remote server, and clear the log content, as shown in the following code snippet image.
BlockComputerMouseListener
The BlockComputerMouseListener class functions as an event listener for mouse and keyboard events. When it detects that the computer is in a “blocked” state, it takes actions to potentially disable or disrupt the computer, including restarting the Windows Explorer shell and initiating a system shutdown, as shown below.
Other Modules
In addition to incorporating modules for functions such as process killer, ransomware, screen capture, keylogger, and mouse interaction blocker, the malware also includes code for modules like Stealer, older versions of ransomware, and more.
Stealer
The stealer code is designed to illicitly acquire sensitive data, including login credentials (usernames and passwords), browsing histories, and web data (such as credit card information) from a wide range of web browsers. These targeted browser paths are mentioned in the table below.
| Opera Stable | Amigo | Slimjet | Chromodo |
| Opera GX Stable | Vivaldi | 360Browser | Yandex Browser |
| Google Chrome | Orbitum | Maxthon3 | |
| Google Chrome (x86) | Mail.Ru\Atom | K-Melon | |
| Microsoft Edge | Kometa | Sputnik | |
| Chromium | Comodo Dragon | Nichrome | |
| Brave Browser | Torch | CocCoc Browser | |
| Privacy Browser | Comodo | uCozMedia\Uran |
The gathered information is stored in separate text files with filenames corresponding to the type of data, such as “browser_accs.txt” for browser accounts, “browser_cards.txt” for credit card details, and “browser_history.txt” for browsing history. Furthermore,
- The code collects various computer-related details, such as the computer name, username, RAM information, operating system information, system version information, processor details, and the Windows product key.
- The code gathers internet-related information, including the IP address, country name, city name, region name, version information, postal code, latitude and longitude coordinates, and the organization associated with the IP address.
In addition to browser and system data, the code is also designed to steal tokens from popular applications like Discord and Minecraft.
The image below depicts the different classes utilized by the RAT to perform data-stealing operations on the victim’s computer.
Init() Method
After the initialization of various components, the malicious code invokes the private method init(), which is responsible for configuring a graphical user interface (GUI) for a client application using the Java Swing framework. This code sets up a GUI client interface with the ability to send packets, log messages, and determine whether to send packets asynchronously or not, as shown in the code snippet below. The command-and-control (C&C) server responds in accordance with the packets it receives.
If the computerBlocked variable is set to “true”, the code calls the blockMouse() method, which is designed to block mouse input by continuously resetting the mouse cursor’s position to a specific coordinate.
Next, it calls the sendWebhookInfo() method, which sends a Discord webhook message (“New user joins the server”) with a specified username, avatar, and embedded content, including the “info” parameter and the user’s computer name, and enables TTS (Text-to-Speech) for the message, as shown in the below image. This Discord webhook is used for data exfiltration from the victim’s system.
The figure below shows the Discord webhook code, which contains the malware Avatar image.
Persistence
After sending the webhook message, it copies the malware file into the “%appdata%\Oracle\AIR” location. It creates two run registry entries for persistence, which starts the malware file every time the system starts, as depicted in the figure below.
Following that, the malware establishes a scheduled task using a Timer in Java to periodically monitor the status of a socket connection. If the socket is either null, closed, or not connected, it attempts to establish a connection using the tryConnect() method and, upon success, invokes the connected() method.
Connected() Method
Upon execution of the connected() method, it again calls the addToStartup() method to create persistence. Then, it calls the method named sendConnectedClientPacket(), which is responsible for gathering various pieces of information about the client’s system, creating a specific packet with this information, and then sending that packet to the server to notify it of the client’s connection. This information may be used for various purposes on the server side, such as tracking client connections or version management etc.
The code snippet for the connected() method is shown in the image below.
Once the connected client system information has been sent, the code initiates a new thread to run the registerReceivePacketsListener() method in parallel with the main thread. This new thread continuously monitors an input stream for incoming objects. When an object is received and identified as a “Packet,” it proceeds to process these packets using the processReceivedPacket() method. Additionally, within the processReceivedPacket() method, a new thread is generated to manage the received packets. The received packets contain commands from the attacker specifying the operation they intend to execute.
The registerReceivePacketsListener() methodis shown in the following code snippet figure.
Received Packets
The Sayler RAT carries out its malicious operations based on the packets it receives from the server. These functionalities include:
| Received Packets | Description |
| Capture camera image | This function allows the RAT to take pictures or access the camera feed on the infected computer. |
| Open/Close/Send a chat message | The RAT can open, close, and send chat messages on the compromised system. |
| Requesting block/unblock computer | The RAT can request to block or unblock certain actions or functionality on the victim’s computer. |
| Requesting disable computer | This function disables the victim’s computer, potentially rendering it unusable. |
| Requesting enable/disable computer hibernate | The RAT can enable or disable the hibernation feature on the compromised computer. |
| Get file | This function allows the RAT to request files from the infected computer. |
| Run file | It permits the RAT to execute specific files or programs on the victim’s system. |
| Delete file | This functionality allows the RAT to delete files on the infected computer. |
| Download file | The RAT can use this to download files from the victim’s machine to the attacker’s server. |
| File Transfer | This likely refers to the capability to transfer files between the compromised system and the attacker’s server. |
| Enable/Disable KeyLogger | The RAT can activate or deactivate a keylogger on the victim’s computer, which records keystrokes. |
| Send KeyLogger Logs | This allows the RAT to transmit the recorded keylogger logs to the attacker. |
| Clear KeyLogger Logs | The RAT can clear or delete the logs generated by the keylogger to erase traces of its activity. |
| Send keyboard keys | This function enables the RAT to simulate and send keyboard inputs, potentially to control the infected system. |
| Block/Unblock mouse | The RAT can block or unblock mouse input, potentially restricting the victim’s actions. |
| Send mouse click | It allows the RAT to simulate mouse clicks, potentially controlling the victim’s system. |
| Set mouse position | The RAT can change the mouse cursor’s position on the infected computer. |
| Running console command | This function lets the RAT execute command-line instructions on the victim’s machine. |
| Request to visit a web page | The RAT can request the victim’s computer to open a specific web page, possibly for phishing or malicious purposes. |
| Block/Unblock processes | It can block or unblock specific processes running on the infected computer. |
| Sending process list | This function sends a list of processes running on the victim’s computer to the attacker. |
| Killing process | The RAT can terminate or kill specific processes on the infected system. |
| Ransomware crypt files process | This function is related to the encryption of files as a part of a ransomware attack. |
| Ransomware decrypt files process | This function is related to the decryption of files, potentially after a ransom payment. |
| Capture desktop screen | The RAT can capture screenshots or the desktop screen on the victim’s computer. |
| Requesting steal browser accounts | This function likely involves stealing login credentials from web browsers. |
| Requesting steal browser credit cards | It is likely used to steal credit card information stored in web browsers. |
| Requesting steal browser history | This function may be used to steal browsing history data from web browsers. |
| Requesting steal computer info | This involves requesting information about the victim’s computer. |
| Requesting steal discord tokens | The RAT can request to steal Discord authentication tokens. |
| Requesting steal internet info | This function involves requesting information about the victim’s internet connection or activity. |
| Console log | The RAT can generate logs for its activities, potentially for debugging or tracking purposes. |
The figure below illustrates the various classes employed by the RAT to carry out malicious functions on the victim’s computer.
Finally, the malware sends all the collected information through the sendWebhookInfo() function to the server in a JSON format. Conversely, if the socket is already connected, the code logs “Already connected.” This task repeats at 10-second intervals, ensuring the ongoing monitoring and maintenance of the connection status.
Server GUI
The malware also includes a server GUI code designed to create a graphical interface for server management. This interface allows the attacker to monitor and control connected clients, execute actions on them, and adjust server settings. This GUI offers an intuitive interface for an attacker to oversee their network of compromised clients, as shown in the below code snippet figure.
Conclusion
The emergence of the Sayler RAT, with a specific focus on targeting Polish-speaking users, raises significant concerns in the realm of cybersecurity. This malicious software boasts a formidable arsenal of features, encompassing a Keylogger, Information Stealer, Screen Capture, Ransomware, and additional capabilities.
However, the presence of incomplete Ransomware code, lacking the logic for displaying a ransom note or selectively encrypting specific file extensions, suggests that the RAT may still be in its developmental phase. Furthermore, the utilization of Discord webhooks for data exfiltration signifies a level of sophistication in communication methods. The evolving nature of this threat underscores the importance of heightened vigilance and proactive security measures among potential victims and organizations to counter this emerging risk effectively.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- The initial breach occurs via spam emails or deceptive websites. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of harmful attachments and to only download and install software applications from reputable and trusted sources.
- Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) | cmd.exe is used to run commands like taskkill. |
| Persistence (TA0003) | Registry Run Keys / Startup Folder (T1547.001) | Drops copy of the malware file to the %appdata% folder and adds Run registry entry. |
| Defense Evasion (TA0005) | Disable or Modify Tools (T1562.001) | The malware kills the Task manager and registry editor processes. |
| Defense Evasion (TA0005) | Modify Registry (T1112) | Modifying Windows registry. |
| Credential Access (TA0006) | OS Credential Dumping (T1003) | Tries to harvest and steal browser information. |
| Discovery (TA0007) | Process Discovery (T1057) | Queries a list of all running processes. |
| Discovery (TA0007) | System Information Discovery (T1082) | The malware gathers system information through various methods. |
| Discovery (TA0007) | File and Directory Discovery (T1083) | Enumerate files and folders for ransomware encryption. |
| Collection (TA0009) | Data from Local System (T1005) | Tries to harvest and steal browser information. |
| C&C (TA0011) | Non-Application Layer Protocol (T1071) | Using sockets for network communication. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 3a285221a2ee58369c4d39d2ee508b3d d04754ca5c9853d4f5688ddafd76b125306dd01b ad79376aa24df8dab799d4fb4c5d0c913fda03bfea65cbd80923a5919bb1e9b9 | Md5 Sha1 Sha256 | Java.jar |
| 9f36aa7edd5e1f19b541f209386bc7ea ed51900e5b6bb58c116236aff1ed3dec4440702b 1349f1ac1da22cb2f2251a7e26dbc1e8716504c76d623d800e96295b8cdd00eb | Md5 Sha1 Sha256 | BlazeXHack.jar |
