{
	"id": "e34e2d3b-eccf-4065-8688-f5d95b984578",
	"created_at": "2026-04-06T00:09:01.124565Z",
	"updated_at": "2026-04-10T13:12:36.695588Z",
	"deleted_at": null,
	"sha1_hash": "8c6ce5826736058318bad4ebd9fe3081befd08a3",
	"title": "Interesting tactic by Ratty \u0026 Adwind for distribution of JAR appended to signed MSI - CVE-2020-1464 - Securityinbits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100576,
	"plain_text": "Interesting tactic by Ratty \u0026 Adwind for distribution of JAR\r\nappended to signed MSI - CVE-2020-1464 - Securityinbits\r\nBy Ayush Anand\r\nPublished: 2020-06-28 · Archived: 2026-04-05 12:58:12 UTC\r\nJune 28, 2020\r\nAdwind, binwalk, Bytecode Viewer, CVE-2020-1464, file, Glueball, IoCs, JAR, Java, MSI, RAT, Ratty, xxd,\r\nYara, ZIP\r\nThis article discusses an interesting tactic actively used by different Java RAT malware authors like Ratty \u0026\r\nAdwind  to distribute malicious JAR appended to signed MSI files. This technique was discovered by VT Team in\r\nAug 2018[9] but that time it was not used by malware authors to distribute malicious JAR files. Thanks to\r\nEKTracker tweet[1], where I found this interesting Ratty hashes using this technique.\r\nOur goal is to understand the unique technique instead of analysing the Java RAT.\r\nCONTENTS\r\n1. Overview of ZIP, JAR \u0026 MSI file format\r\n2. How does it work?\r\n3. Analysis of JAR appended to signed MSI files using Ratty RAT\r\n4. Timeline\r\n5. Conclusion\r\n6. Yara Signature\r\n7. Indicator of Compromise\r\n8. References\r\n1. Overview of ZIP, JAR \u0026 MSI file format\r\nBefore we discuss the technique we need to understand some concepts regarding ZIP, JAR and Windows Installer\r\nMSI files. If you already know this, please skip to the next section.\r\nZIP\r\nPE files are read from top to bottom but ZIP files are read from bottom to top due to their design. Some more\r\ndetails from Wikipedia[2]\r\nA directory is placed at the end of a ZIP file. This identifies what files are in the ZIP and identifies\r\nwhere in the ZIP that file is located. This allows ZIP readers to load the list of files without reading the\r\nentire ZIP archive. A ZIP file is correctly identified by the presence of an end of central directory\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 1 of 7\n\nrecord(EOCD) which is located at the end of the archive structure in order to allow the easy appending\r\nof new files.\r\nZip format from Wikipedia [2]\r\nJAR\r\nJAR files follow the zip format. Some more details from Wikipedia[3]\r\nA JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and\r\nassociated metadata and resources (text, images, etc.) into one file for distribution.\r\nJAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format\r\nand typically have a .jar file extension.\r\nMSI or Windows Installer\r\nMSI file follows Compound File/Composite Document File V2 Document/Object Linking and Embedding (OLE).\r\nA compound file is a structure that is used to store a hierarchy of storage objects and stream objects into a single\r\nfile or memory buffer. oletools and oledump can be used to browse the structure of MSI files[5]. We will not go in\r\nso much detail of OLE file.\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 2 of 7\n\n2. How does it work?\r\nMalware author takes two files, one is a clean digital signed MSI file let say with filename clean_signed.msi and\r\nother is malicious JAVA RAT malware filename malicious.jar.\r\nSteps:\r\n1. Malware author select a clean clean_signed.msi  MSI file which is digitally code signed from Microsoft,\r\nGoogle etc. So maybe security control will not not scan the file due to it’s digital signature. The OS reads\r\nthe file from top to bottom and see the digital signature, so everything is good till now.\r\n2. Other malicious.jar is essentially a zip file which is read from bottom to top as discussed above.\r\n3. On Microsoft Windows systems, the Java Runtime Environment’s installation program will register a\r\ndefault association for JAR files so that double-clicking a JAR file on the desktop will automatically run it.\r\n4. Now, attackers just need to append the jar file to the MSI file and change the extension to jar.\r\n5. Attackers can use this command copy /b clean_signed.msi + malicious.jar signed_malicious.jar to\r\ngenerate malicious signed file.\r\n6. When the user executes the  signed_malicious.jar , it will execute the malicious jar file as it’s read from\r\nbottom to top.\r\nWhy is digital signature still valid?\r\nAfter the attacker creates the signed_malicious.jar the digital signature is still valid due to the reason mentioned in\r\nthe VirusTotal blog post.\r\nCode signing is the method of using a certificate-based digital signature to sign executables and scripts\r\nin order to verify the author’s identity and ensure that the code has not been changed or corrupted since\r\nit was signed by the author. This way, for example, if you modify the content or append any data to a\r\nsigned Windows PE (.EXE) file the signature of the resulting file will not be valid for Microsoft\r\nWindows, as expected. This behaviour changes when you append any data to the end of a signed\r\nWindows Installer (.MSI), the resulting file will pass the verification process of Microsoft Windows and\r\nwill show just the original signature as valid without any other warning.\r\n3. Analysis of JAR appended to signed MSI files using Ratty RAT\r\nWe will analyse this Ratty 06-01-20.jar (MD5: 13a4072d8d0eba59712bb4ec251e0593) [10] but the same process\r\nis applicable for the Adwind sample.\r\n1. Let’s start with checking the magic byte or file header of this file using file cmd and xxd.  Please feel free to use\r\nany other hex viewer.\r\nBased on the extension jar this file should have magic bytes for zip but the above figure shows the standard MSI\r\nfile header with magic bytes D0 CF 11 E0 A1 B1 1A E1.\r\ngrade\r\nNote: This anomaly for extension not matching header is a good indicator to detect this and other kinds of attack.\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 3 of 7\n\n2. Now if you check the digital signature using properties it looks ok.\r\nBut using Sigcheck will say “Signed but the filesize is invalid (the file is too large)“. This is another good\r\ndetection point.\r\n3. Investigating further using binwalk on this 06-01-20.jar file you will see it matches different zip signatures\r\nstarting from offset 0xc600 as shown in the figure below.\r\nBased on the output, you can easily guess there is a JAR appended to this MSI file.\r\n4. If you dump some bytes at offset using xxd you will see a zip header.\r\nxxd -s 0xc600 -l 0x100 06-01-20.jar\r\n6. The extracted file is not packed so if you open the extracted_ratty.jar in Bytecode Viewer, you can see the\r\ndecompiled Java Code.\r\nBased on the package and folder structure this  extracted_ratty.jar is based on this GitHub Ratty repo. I will not\r\ndig any further in this Ratty malware and decompiled Java code can be easily analysed.\r\n4. Timeline\r\nThis technique was discovered by VirusTotal team[9]\r\nVirusTotal posted a blog post[6] about this technique and mentioned that it’s not being used massively to distribute\r\nmalware.\r\nThere were two other notable blog posts[7] \r\n[8]\r\n discussing VirusTotal blog.\r\nAll three blog posts gives a great explanation of this technique.\r\nMalware author started using this technique for distribution of malicious Java RATs like Adwind and Ratty.\r\nAt last, Microsoft decided to fix this CVE-2020-1464 | Windows Spoofing Vulnerability. I suspect as malware\r\nauthors started using this old bug which was discovered in Aug 2018, so Microsoft decided to fix it.\r\n5. Conclusion\r\nWhen I saw this interesting technique, I was puzzled.Hopefully, I have explained this technique detailed enough in\r\nthis post.\r\nDetection\r\nAnomaly for extension not matching header is a good indicator to detect this technique and below yara rule\r\ncan be used.\r\nCheck Sigcheck output “Signed but the filesize is invalid (the file is too large)” for digital signed files\r\nAV may detect this suspicious behaviour of malicious JAR\r\nSharing Yara signature to detect this technique and IoCs below.\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 4 of 7\n\nUpdate 17 Aug, 2020\r\nMicrosoft fixed this CVE-2020-1464 (Windows Spoofing Vulnerability) as malware authors started\r\nactively exploiting this old bug which was discovered in Aug 2018. If you are interested to also learn about\r\ntechnical analysis about GlueBall CVE-2020-1464, please check out the awesome article [13] by\r\n@TalBeerySec.\r\nBrian Krebs posted an article [14] about this CVE-2020-1464 (GlueBall).\r\n6. Yara Signature\r\nrule jar_in_msi\r\n{\r\nmeta:\r\ndescription = \"Detect jar appended to MSI\"\r\nauthor = \"Securityinbits\"\r\ndate = \"2020-06-14\"\r\nreference = \"https://twitter.com/Securityinbits/status/1271406138588708866\"\r\nhash_1 = \"13a4072d8d0eba59712bb4ec251e0593\"\r\nhash_2 = \"63bed40e369b76379b47818ba912ee43\"\r\nhash_3 = \"85eb931d0d27179ae7c13085fb050b11\"\r\nstrings:\r\n$msi_magic = { D0 CF 11 E0 A1 B1 1A E1}\r\n//To detect zip Local file header(lfh) \u0026 End of central directory record(eocd)\r\n$s_zip_magic_lfh = {50 4B 03 04}\r\n$s_zip_magic_eocd = {50 4B 05 06}\r\n$s_jar = \"META-INF/MANIFEST.MF\"\r\n$s_java_class = \".class\"\r\ncondition:\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 5 of 7\n\n$msi_magic at 0 and filesize \u003e 60KB and all of ($s_*)\r\n}\r\nNote: I haven’t checked this yara signature on a clean set of files so it may cause FP.\r\n7. Indicator of Compromise(IOCs)\r\nMD5\r\nRatty\r\n13a4072d8d0eba59712bb4ec251e0593 -\u003e This hash analysed in this post\r\n63bed40e369b76379b47818ba912ee43\r\nfa8118a9fa20a17018cb2f60fd28a5b7\r\n4a3d69c28c4742177d6238bc16486f0d\r\n48a5714147ee85374ab74174a82ab77a\r\nAdwind\r\n85eb931d0d27179ae7c13085fb050b11\r\nThanks to @c_APT_ure for sharing following hashes related to this technique\r\nRatty\r\n800fbf461f13facf4799e96f5026fd47 shipment.label.jar\r\nf3ea296ad35eec33ea436febd97ff0e2 Shipment-label.jar\r\n80908e5e21c3aff7e8bcaccdbb99e02e 21-04-2020.jar\r\n83aaba8a3cd871441d2c386aaa3ee0e0 TrackingOrder.jar\r\nc50b8615b8d6613f92586224b15bc9ac tracking.update.jar\r\n1eb30fec5a58dc7a6af2c17d7e8327d0 ups-label.jar\r\n85e8e4e814c29ce8779772fca4df64d7 21-05-2020.jar\r\na49c0e0d1ca8a829a8175a3931e5cba1 a49c0e0d1ca8a829a8175a3931e5cba1.jar\r\n4a2d5424f87d1d4cdcd8a9bea81d2e2a shipment.delivery.label.06-03.jar\r\nAdwind, Thanks to @c_APT_ure for sharing the hashes\r\n0559defe2122020a2733fafbd6443fd6 2.jar\r\n7239fb81b1771e2aa38edbe0b68e40d5 CONFIRMATION_SWIFT.pdf.jar\r\n8. References\r\nThanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 6 of 7\n\nFor more updates and exclusive content, subscribe to our newsletter. Stay sharp. Keep defending.😊\r\nJoin 150+ subscribers who get 0x1 actionable security bit every week.\r\nSource: https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nhttps://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/"
	],
	"report_names": [
		"interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi"
	],
	"threat_actors": [],
	"ts_created_at": 1775434141,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c6ce5826736058318bad4ebd9fe3081befd08a3.pdf",
		"text": "https://archive.orkl.eu/8c6ce5826736058318bad4ebd9fe3081befd08a3.txt",
		"img": "https://archive.orkl.eu/8c6ce5826736058318bad4ebd9fe3081befd08a3.jpg"
	}
}