25 November 2021

New JavaScript loader delivers eight families of RATs


New JavaScript loader delivers eight families of RATs

Cybersecurity researchers from HP have discovered an evasive JavaScript loader they dubbed ‘RATDispenser’ that is being used to distribute remote access trojans (RATs) and information stealing malware.

“With an 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware,” the researchers said in a report.

The threat research team said they identified eight malware families distributed using this malware during 2021, all of them RATs designed to steal data and hijack victim devices. These include STRRAT and WSHRAT (accounting for 81% of the analyzed samples), Panda Stealer, GuLoader, and Ratty.

In 94% of the cases analyzed by HP, RATDispense was primary used as a dropper meaning that the malware doesn’t communicate over the network to deliver a malicious payload.

“The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model,” the researchers noted.

The infection chain begins with a user receiving an email containing a malicious attachment, disguised as a text file. When double-clicking the file, the malware is executed.

Once running, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. The VBScript file, in turn, downloads the malware payload, and once it’s downloaded the VBScript file is deleted.

“Although JavaScript is a less common malware file format than Microsoft Office documents and archives, in many cases it is more poorly detected. From our set of 155 RATDispenser samples, 77 were available on VirusTotal which allowed us to analyze their detection rates,” HP explained.

“Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.”

More detailed technical analysis of RATDispenser along with indicators of compromise related to this new threat can be found in HP’s report.

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021