avaScript Loader to Deliver Malware

It is being reported recently by the security experts at HP that threat actors are using JavaScript loader to deliver malware without being detected. 

This new malware has been dubbed as RATDispenser, which is used to infect systems as a dropper, and then it’s deployed as Remote Access Trojans (RAT).

This malware is under active development, as the researchers have discovered around 155 samples of this malware in the wild, and not only that, even it’s claimed that in three different variants, this malware spread.

Through spam emails with malicious attachments, the RATDispenser has been spreading for more than three months. In its operations, RATDispenser uses the classic double extension trick like “filename.txt.js.”

With this stealthy trick, RATDispenser represents itself as text files to trick the user, but the actual tricks remain hidden under the hood; here, once the user opens the file, it runs JavaScript code.

Identified Malware Families

RATDispenser is a stealthy malware that is effective at evading security tools and also efficient in delivering malicious payloads. This stealthy malware has an 11% detection rate, and during 2021 eight malware families were detected that are distributed using this malware.

Here, if the user launches such a file, the RATDispenser malware decodes itself and launches a stand-alone VBScript, which then installs a remote access Trojan on the infected device.

Here we have mentioned below all the eight malware families that were detected:-

  • STRRAT
  • WSHRAT (aka Houdini or Hworm)
  • AdWind (aka AlienSpy or Sockrat)
  • Formbook (aka xLoader)
  • Remcos (aka Socmer)
  • Panda Stealer
  • CloudEyE (aka GuLoader)
  • Ratty

Here, the most interesting thing is that, among the 155 samples, 145 were droppers, and all of them are mostly:-

  • Remote access Trojans (RATs)
  • Keyloggers
  • Information stealers

Here’s what the security analyst Patrick Schläpfer stated:-

“The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model.”

RATDispenser is a dropper that the threat actors use to install other threats on the compromised system. 

While the loader works differently since a loader is also known as a downloader that doesn’t communicate with the C2 server, which implies that they are less clever, but they are still stealthier.

Moreover, on VirusTotal there are only 77 samples were available among 155 RATDispenser samples, and when analyzed, it’s been discovered that all the anti-virus engines were managed to achieve an 11% detection rate.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.