RATDispenser: JavaScript-Loader dispenses Remote Access Trojaners (RAT) in Windows

[German]Another short addendum concerning security, which came to my attention the other day. Security researchers at HP Thread-Research have discovered a loader written in JavaScript that installs Remote Access Trojans (RATs) on Windows systems. The developer now appears to be working with eight malware groups.

Security researchers at HP Thread-Research published their findings in the blog post RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild.

Unusual dropper approach

Malware groups are always looking for new ways to spread their malware under the radar of antivirus solutions. While monitoring various systems, HP Thread-Research security researchers came across a JavaScript loader they call RATDispenser. The loader's task is to spread remote access Trojans (RATs).

RATDispenser mail, source: HP Thread Research

The loader for the malicious program is distributed via spam email as an attachment New Order.TXT .js. The name was chosen in hopes that the user will only see the .txt extension because Windows hides the .js extension for the file name. The researchers write that the RATDispenser appears to effectively bypass security controls with a detection rate of 11%.

If the user opens the JavaScript file, the malware is executed. The JavaScript runs under Windows Script Host and decrypts itself at runtime. It then uses the cmd.exe command line processor to write a VBScript file to the %TEMP% folder. To do this, it passes a long, chained argument to the cmd.exe process, parts of which are written to the new file using the echo function.

The VBScript file is then executed, which in turn downloads the malware payload. After the successful download, the malware is executed and the VBScript file is deleted. Thus, RATDispenser works only as a dropper for a secondary malware in 94% of the examined cases. The malware does not communicate over the network to deliver a malicious payload.

Security researchers have identified eight malware families in 2021 that are distributed via the RATDispenser. All of the malware samples loaded were remote access Trojans (RATs) designed to steal information and give attackers control over victims' devices. HP has put information and YARA rules for detection on GitHub. The details can be read in the linked article. (via)