This new loader has established distribution partnerships with at least eight malware families, with the goal of giving attackers control of target devices.
In 94% of the cases analyzed by the HP Threat Research team, RATDispenser does not communicate with the attacker-controlled server, but is only used as a first-stage malware dropper.
How the infection is transmitted
This text file is highly obfuscated to avoid detection by security software, and can be decrypted by double-clicking on the file to launch it.
When launched, the loader writes a VBScript file to the %TEMP% folder, which is then executed to download the malware (RAT) payload.
With these obfuscations, malware has an 89% chance of avoiding detection according to VirusTotal’s scan results.
Using the earliest scan results for each sample, we found that on average, RATDispenser’s samples were detected by 11% of the available anti
Using the oldest scan results for each sample, on average, RATDispenser samples were detected by only 11% of the available anti-virus engines, or 8 engines in absolute terms.
But mail gateways can detect loaders if a company has enabled blocking of executable attachments such as .js, .exe, .bat, and .com files.
You can also prevent a chain of infections by changing the default file handler for JS files, allowing only digitally signed scripts to execute, and disabling WSH (Windows Script Host).
HP researchers were able to obtain eight different malware payloads from RATDispenser in the past three months.
The malware families identified are STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.
In 10 out of 155 samples analyzed, the loader establishes C2 communication to obtain the second stage malware, which is a rare case, but the functionality does exist.
In 81% of malware drop cases, RATDispenser distributes STRRAT and WSHRAT (aka “Houdini”), which are powerful credential stealers and keyloggers.
“Panda Stealer” and “Formbook” are the only payloads that are always downloaded instead of dropped.
Overall, RATDispenser seems to work well for distributing both old and new malware, and serves as a versatile loader for threat actors of all skill levels.