Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser that is being used to spread a variety of remote access trojans (RATs) in attacks into the wild. Experts pointed out that the use of JavaScript is uncommon as malware file format and for this reason it is more poorly detected.
The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal, HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.
“As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload.” reads the report published by HP.
The attack chain starts with a phishing email using a JavaScript attachment using ‘.TXT.js’ double-extension to trick victims into believing that they are opening a harmless text file.
Upon launching the malicious code, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. Then the VBScript downloads and executes the final RAT payload.
HP researchers run a retrohunt over the last three months with this YARA rule and identified 155 RATDispenser samples, belonging to a three different variants. The experts also developed a wrote a Python script to recover the final payload and discovered that:
STRRAT and WSHRAT accounted for 81% of the samples analyzed by the researchers.
HP researchers published a set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, RATDispenser)
[adrotate banner=”5″]
[adrotate banner=”13″]