Binary-Domain.rar
RAR is a proprietary archive file format that supports data compression, error correction and file spanning.[3] It was developed in 1993 by Russian software engineer Eugene Roshal and the software is licensed by win.rar GmbH.[3] The name RAR stands for Roshal Archive.
Binary-Domain.rar
The filename extensions used by RAR are .rar for the data volume set and .rev for the recovery volume set. Previous versions of RAR split large archives into several smaller files, creating a "multi-volume archive". Numbers were used in the file extensions of the smaller files to keep them in the proper sequence. The first file used the extension .rar, then .r00 for the second, and then .r01, .r02, etc.
One of the executables deployed by the attackers via the PowerShell script consisted of an information stealer that exfiltrates files of specific extensions from the infected endpoint: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. This is a new infostealer that Gamaredon has not previously used in other campaigns. We suspect it may be a component of Gamaredon's "Giddome'' backdoor family, but we are unable to confirm that at this time.The malicious binary keeps track of what has been exfiltrated in a file named "profiles_c.ini" in the "%USERPROFILE%\Appdata\Local" folder. The malware stores the MD5 hash of a string containing the filename, file size and modification date of the exfiltrated file.Once started, the malware scans all attached storage devices looking for files with the aforementioned extensions. For each one, the malware makes a POST request with metadata about the exfiltrated file and its content.
There are many archive formats available, and you can choose the ones that suit you best. Keep in mind that .tar and .tar.gz formats use a similar command (tar) while .zip and .rar archives have their own (zip and rar respectively).
The Java EE specification also defines a special type of JAR file that contains only Enterprise JavaBeans (EJB). This file has a .jar extension but contains a special deployment descriptor and is intended to isolate EJB components from other parts of the enterprise application. The Java EE spec also defines a resource adapter archive, which contains code that bridges an enterprise application to external services, like message queues and databases. These files have a .rar extension.
Resource adapters are configured through the resource-adapterssubsystem. Declaring a new resource adapter consists of two separatesteps: You would need to deploy the .rar archive and define a resourceadapter entry in the subsystem.
Archives (such as .zip or .rar files) are decompressed and scanned to a maximum of 16 levels of recursion. Files compressed above 16 levels of recursion are blocked. A password-protected archive is not scanned as it cannot be decompressed without the password, however, it will be blocked under the antivirus' Protected Archive category. If there is a scanning error or the file is found to be corrupt or otherwise encrypted, Umbrella blocks that as well. Since we have determined already that the domain could contain risky files, we're taking the safest options when scanning files from those domains.
One of the Linux-based malicious archives we retrieved was this file, named virus_de_prost_ce_esti.rar, which translates from the original Romanian language to what a stupid virus you are. The contents of this archive included 11 ELF binaries, 7 text files (containing long lists of IP addresses), and a Python script that executes them in various sequences. The intent of the package was to disrupt game servers, causing them to lag or crash. 041b061a72