A new stealthy JavaScript loader named RATDispenser has been found to be used in phishing attacks to infect devices with a variety of remote access trojans (RATs).
This new loader has established distribution partnerships with at least eight malware families, with the goal of giving attackers control of target devices.
In 94% of the cases analyzed by the HP Threat Research team, RATDispenser does not communicate with the attacker-controlled server, but is only used as a first-stage malware dropper.
This loader uses JavaScript attachments, which have a low detection rate, contrary to the trend of using Microsoft Office documents to drop payloads.
How the infection is transmitted
The infection began with a phishing email containing a malicious JavaScript attachment with a double “.TXT.js” extension. When the recipient saves the file to their computer, it appears as a harmless text file.
This text file is highly obfuscated to avoid detection by security software, and can be decrypted by double-clicking on the file to launch it.
When launched, the loader writes a VBScript file to the %TEMP% folder, which is then executed to download the malware (RAT) payload.
With these obfuscations, malware has an 89% chance of avoiding detection according to VirusTotal’s scan results.
JavaScript is a less common malware file format than Microsoft Office documents and archives, but in many cases it is more difficult to detect. Of RATDispenser’s 155 samples, 77 are listed on VirusTotal and we were able to analyze their detection rates
Using the earliest scan results for each sample, we found that on average, RATDispenser’s samples were detected by 11% of the available anti
Using the oldest scan results for each sample, on average, RATDispenser samples were detected by only 11% of the available anti-virus engines, or 8 engines in absolute terms.
But mail gateways can detect loaders if a company has enabled blocking of executable attachments such as .js, .exe, .bat, and .com files.
You can also prevent a chain of infections by changing the default file handler for JS files, allowing only digitally signed scripts to execute, and disabling WSH (Windows Script Host).
Drop malware
HP researchers were able to obtain eight different malware payloads from RATDispenser in the past three months.
The malware families identified are STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.
In 10 out of 155 samples analyzed, the loader establishes C2 communication to obtain the second stage malware, which is a rare case, but the functionality does exist.
In 81% of malware drop cases, RATDispenser distributes STRRAT and WSHRAT (aka “Houdini”), which are powerful credential stealers and keyloggers.
“Panda Stealer” and “Formbook” are the only payloads that are always downloaded instead of dropped.
Overall, RATDispenser seems to work well for distributing both old and new malware, and serves as a versatile loader for threat actors of all skill levels.
Comments