At the time of analysis. HP researchers confirmed that it was used to transmit at least eight RAT families in 2021. (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The threat actors behind the RATDispenser, according to analysts, may be using a malware-as-a-service strategy.
In this report we:
- Analyze the infection chain of RATDispenser and suggest detection opportunities for detecting and blocking the malware
- Describe how RATDispenser is obfuscated
- Discuss the malware families distributed by RATDispenser
- Share a YARA rule and a Python extraction script so that network defenders can detect and analyze this malware
HP researchers used this YARA rule to conduct a retrohunt over the last three months and discovered 155 RATDispenser samples belonging to three different versions. The specialists also created a Python script to recover the final payload, which revealed the following:
Droppers made up 145 of the 155 samples (94%). Only ten of the samples were downloaders that communicated over the network in order to download a second stage of malware.
As payloads, eight malware families were distributed.
Remote access Trojans (RATs), keyloggers, and information stealers were all used as payloads.
INDICATORS OF COMPROMISE
00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -> Formbook
026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -> STRRAT
0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -> WSHRAT
094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -> AdWind
2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -> RemcosRAT
942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -> Panda Stealer
b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -> GuLoader