The evasive malware loader dubbed "RATDispenser" by HP Threat Research, is responsible for deploying at least eight different malware variants in 2021.
RATDispenser, as with most JavaScript malware, gains an initial foothold on the system before launching a secondary malware that then establishes control over a compromised device. According to the researchers, RATDispenser is predominantly used as a dropper, meaning the malware is not capable of communicating over a network to deliver malicious payload.
The different malware variants, however, can be purchased or downloaded from underground marketplaces, and the authors of RATDispenser as it seems may be operating a malware-as-a-service business model.
RATDispenser infection chain begins with receiving an email containing a malicious attachment, such as a JavaScript file (.js) masquerading as a normal text file, supposedly with information about an order.
The user, however, needs to click on the file for the malware to run. When the malware runs, it decodes itself at runtime and writes a VBScript file on %TEMP% folder using cmd.exe. The cmd.exe process is passed along chained argument, which in parts are written to the new file using the echo function.
The malware families distributed by RATDispenser, includes STRRAT and WSHRAT, accounting for 81% of the samples analyzed. STRRAT is a Java RAT that was first seen in mid-2020, with keylogging and credential stealing capabilities. While WSHRAT, also known as Houdini, is a VBS RAT that appeared in 2013, which also has typical RAT capabilities.
But the most interesting among them is Panda Stealer, a new malware family targeting cryptocurrency wallets. The Panda Stealer was first seen in April 2021. And the least common families are GuLoader and Ratty, with the later an open-source RAT written in Java, and GuLoader is a downloader known for downloading and running various other RATs.
Albeit, JavaScript malware are less common file format than Microsoft Office documents, but in several cases it's more poorly detected.
Organizations should make sure that Network defenders feature is activated, as it can prevent infection by blocking executable email attachment file types from passing through their email gateways, such as JavaScript or VBScript. Also, it can interrupt the execution of the malware by changing the default file handler for JavaScript files, allowing only digitally signed scripts to run, or disabling Windows Script Host (WSH).
RATDispenser, as with most JavaScript malware, gains an initial foothold on the system before launching a secondary malware that then establishes control over a compromised device. According to the researchers, RATDispenser is predominantly used as a dropper, meaning the malware is not capable of communicating over a network to deliver malicious payload.
The different malware variants, however, can be purchased or downloaded from underground marketplaces, and the authors of RATDispenser as it seems may be operating a malware-as-a-service business model.
How RATDispenser JavaScript Loader is distributing RATs into the Wild?
RATDispenser infection chain begins with receiving an email containing a malicious attachment, such as a JavaScript file (.js) masquerading as a normal text file, supposedly with information about an order.
The user, however, needs to click on the file for the malware to run. When the malware runs, it decodes itself at runtime and writes a VBScript file on %TEMP% folder using cmd.exe. The cmd.exe process is passed along chained argument, which in parts are written to the new file using the echo function.
The malware families distributed by RATDispenser, includes STRRAT and WSHRAT, accounting for 81% of the samples analyzed. STRRAT is a Java RAT that was first seen in mid-2020, with keylogging and credential stealing capabilities. While WSHRAT, also known as Houdini, is a VBS RAT that appeared in 2013, which also has typical RAT capabilities.
But the most interesting among them is Panda Stealer, a new malware family targeting cryptocurrency wallets. The Panda Stealer was first seen in April 2021. And the least common families are GuLoader and Ratty, with the later an open-source RAT written in Java, and GuLoader is a downloader known for downloading and running various other RATs.
How to Mitigate against RATDispenser JavaScript Loader?
Albeit, JavaScript malware are less common file format than Microsoft Office documents, but in several cases it's more poorly detected.
Organizations should make sure that Network defenders feature is activated, as it can prevent infection by blocking executable email attachment file types from passing through their email gateways, such as JavaScript or VBScript. Also, it can interrupt the execution of the malware by changing the default file handler for JavaScript files, allowing only digitally signed scripts to run, or disabling Windows Script Host (WSH).