The new loader quickly created distribution partnerships with at least eight malware families, all designed to steal information and give hackers control of targeted devices.
In 94% of cases analyzed by the HP Threat Research team, RATDispenser does not communicate with a hacker-controlled server and is used exclusively as a first-level malware dropper.
Zoe Konstantopoulou: Developments at STE for Mr Bitcoin
Giannis Andreou LIVE: Crypto, NFT, Metaverse forecasts
LIVE: GoldDigger credential detection & PinataHub platform
LIVE: SocialTruth project - The fake news detection system
SocialTruth European project - Live interview coming soon
Interview - Zoe Konstantopoulou for Alexander Vinnik
This text file is too obfuscated to bypass crawling by security software and will be decoded when the file is double-clicked and launched.
Once booted, the loader will write a VBScript file to the% TEMP% folder, which is then run to download the malware (RAT) payload.
These levels of obfuscation help prevent malware from being detected in 89% of cases, based on VirusTotal scan results.
However, email gateways will detect the loader if the organization has enabled blocking of executable attachments, such as .js, .exe, .bat, .com files.
Another way to stop the infection chain from unfolding is to change the default file manager for JS files, allow only digitally signed scripts to run, or disable WSH (Windows Script Host).
Over the past three months, HP researchers have recovered eight different malware payloads from RATDispenser.
The malware families detected are STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader and Ratty.
In 10 of the 155 samples analyzed, the loader introduced C2 communication for second-stage malware recovery, so although this is rare, functionality is there.
In 81% of malware drop cases, RATDispenser distributes STRRAT and WSHRAT (also known as Houdini), two powerful credential thieves and keyloggers.
Panda Stealer and Formbook are the only two payloads that are always received instead of rejected.
Overall, RATDispenser seems to serve the distribution of both old and new malware, serving as a flexible loader for threatening agents of all skill levels.
Source of information: bleepingcomputer.com