HomesecurityNew JavaScript malware infects Windows PCs with RATs

New JavaScript malware infects Windows PCs with RATs

A new JavaScript loader called RATDispenser is used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.

See also: Malware tries to take advantage of the new Windows Installer zero-day

The new loader quickly created distribution partnerships with at least eight malware families, all designed to steal information and give hackers control of targeted devices.

In 94% of cases analyzed by the HP Threat Research team, RATDispenser does not communicate with a hacker-controlled server and is used exclusively as a first-level malware dropper.

In contrast to the trend of using Microsoft Office documents to drop payloads, this loader uses JavaScript attachments, which HP has found to have low crawl rates.

The infection starts with a phishing email that contains a malicious JavaScript attachment called ".TXT.js". As Windows hides extensions by default, if a recipient saves the file to their computer, it will appear as a harmless text file.

See also: Hackers develop Linux malware on e-commerce servers

This text file is too obfuscated to bypass crawling by security software and will be decoded when the file is double-clicked and launched.

Once booted, the loader will write a VBScript file to the% TEMP% folder, which is then run to download the malware (RAT) payload.

These levels of obfuscation help prevent malware from being detected in 89% of cases, based on VirusTotal scan results.

However, email gateways will detect the loader if the organization has enabled blocking of executable attachments, such as .js, .exe, .bat, .com files.

Another way to stop the infection chain from unfolding is to change the default file manager for JS files, allow only digitally signed scripts to run, or disable WSH (Windows Script Host).

Over the past three months, HP researchers have recovered eight different malware payloads from RATDispenser.


See also: Alibaba ECS: Actively violated by cryptomining malware

The malware families detected are STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader and Ratty.

In 10 of the 155 samples analyzed, the loader introduced C2 communication for second-stage malware recovery, so although this is rare, functionality is there.

In 81% of malware drop cases, RATDispenser distributes STRRAT and WSHRAT (also known as Houdini), two powerful credential thieves and keyloggers.

Panda Stealer and Formbook are the only two payloads that are always received instead of rejected.

Overall, RATDispenser seems to serve the distribution of both old and new malware, serving as a flexible loader for threatening agents of all skill levels.

Source of information:

Teo Ehc
Be the limited edition.