HP Researchers identified new technique which uses JavaScript as a malicious file format to make it harder to detect. RATDispenser, a new covert JavaScript loader that is being used to distribute a variety of remote access trojans (RATs) in attacks into the wild.

At the time of analysis. HP researchers confirmed that it was used to transmit at least eight RAT families in 2021. (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The threat actors behind the RATDispenser, according to analysts, may be using a malware-as-a-service strategy.

HP Researchers reported that “RATDispenser is used to obtain an initial footing on a system before executing secondary malware that gains control over the infected device, as is the case with most JavaScript malware attacks.” Surprisingly, we discovered that RATDispenser is mostly utilised as a dropper (in 94 percent of the samples examined), which means the malware doesn’t communicate over the network to deliver a dangerous payload.”

In this report we:

  • Analyze the infection chain of RATDispenser and suggest detection opportunities for detecting and blocking the malware
  • Describe how RATDispenser is obfuscated
  • Discuss the malware families distributed by RATDispenser
  • Share a YARA rule and a Python extraction script so that network defenders can detect and analyze this malware

HP researchers used this YARA rule to conduct a retrohunt over the last three months and discovered 155 RATDispenser samples belonging to three different versions. The specialists also created a Python script to recover the final payload, which revealed the following:

Droppers made up 145 of the 155 samples (94%). Only ten of the samples were downloaders that communicated over the network in order to download a second stage of malware.
As payloads, eight malware families were distributed.
Remote access Trojans (RATs), keyloggers, and information stealers were all used as payloads.

Finally they concluded that, Despite the fact that JavaScript is a less prevalent malware file format than Microsoft Office documents and files, it is often overlooked. We were able to assess the detection rates of 77 of our 155 RATDispenser samples that were published on VirusTotal. RATDispenser samples were only discovered by 11 percent of available anti-virus engines, or eight engines in absolute numbers, based on the earliest scan result for each sample.

INDICATORS OF COMPROMISE

00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -> Formbook
026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -> STRRAT
0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -> WSHRAT
094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -> AdWind
2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -> RemcosRAT
942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -> Panda Stealer
b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -> GuLoader

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by oxytivetech

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s