Unusual dropper approach
RATDispenser mail, source: HP Thread Research
The loader for the malicious program is distributed via spam email as an attachment New Order.TXT .js. The name was chosen in hopes that the user will only see the .txt extension because Windows hides the .js extension for the file name. The researchers write that the RATDispenser appears to effectively bypass security controls with a detection rate of 11%.
The VBScript file is then executed, which in turn downloads the malware payload. After the successful download, the malware is executed and the VBScript file is deleted. Thus, RATDispenser works only as a dropper for a secondary malware in 94% of the examined cases. The malware does not communicate over the network to deliver a malicious payload.
Security researchers have identified eight malware families in 2021 that are distributed via the RATDispenser. All of the malware samples loaded were remote access Trojans (RATs) designed to steal information and give attackers control over victims' devices. HP has put information and YARA rules for detection on GitHub. The details can be read in the linked article. (via)
Cookies helps to fund this blog: Cookie settings