JavaScript Loader Dispensing RATs

Not long ago researchers from HP Threat Research Blog reported on newly discovered in the wild RATDispenser. This elusive JavaScript loader distributes information stealers and remote access Trojans (RATs). It successfully avoids security controls while delivering malware.

This RATs Dispenser may operate as a malware-as-a-service business model

The variety of malware families this RATs Dispenser distributes makes one think that here attackers apply malware-as-a-service business model. Many of the distributed malware families potential attackers can buy or download freely from underground marketplaces. And all those payloads were RATs that allowed attackers to gain control over victims’ devices and steal information. In total, researchers identified eight malware families distributed by this RATs Dispenser.

JavaScript Loader Dispensing RATs
Malicious attachment in an email

Usually attackers use JavaScript malware to gain an initial foothold on a system before it launches secondary malware that sets up control over the compromised device. In their report researchers discussed the malware families distributed by this particular RATs Dispenser. They analyzed the infection chain of RATs Dispenser and proposed a variant of detection opportunities to detect and block its work. In addition researchers shared a YARA rule and a Python extraction script for network defenders to be able to detect and analyze this malware.

The team analyzed the 155 malware samples

Of all the 155 malware sample using their script they found:

  • All the payloads were identified as remote access Trojans (RATs), information stealers and keyloggers;
  • 145 of the 155 samples (94%) turned out to be droppers. Only 10 samples were downloaders that means that there will be subsequent communication over the network to download a secondary stage of malware;
  • 8 malware families’ payloads.
  • The infection chain begins with an email that contains malicious attachment. For example one may receive some letter about an order just to check what the order goes about the user clicks on it. And that is when the execution of a file begins. The research team advises network defenders to block executable email attachment file types with a VBScript or JavaScript, for example. The interruption of malware execution can be done by disabling Windows Script Host (WSH) or changing the default file handler for JavaScript files and only allowing digitally signed scripts to run.

    Researchers identified eight distributed malware

    To identify which types of malware this RATs Dispenser distributes the researchers wrote a signature to track its sightings. Among the various malware it delivered Formbook, information stealer and a keylogger. Other types included Remcos,STRRAT, WSHRAT, Panda Stealer, AdWind, GuLoader and Ratty. From them the most frequently observed were STRRAT and WSHRAT accounting for 81% of the samples analyzed. In contrast the least frequently observed researchers name Ratty and GuLoader.

    Some malware RATs Dispenser only downloaded like Formbook and Panda Stealer while others mostly it dropped. Additionally researchers provided a few words on some of the distributed malware. They wrote that STRRAT is a Java RAT that has remote access, keylogging and credential stealing features and specialists detected it for the first time in mid-2020. WSHRAT, which also goes by the name Houdini, is a VBS RAT first detected in 2013. Both have typical RAT capabilities. To them the most interesting is Panda Stealer. This new malware family appeared in April 2021 and targets cryptocurrency wallets. GuLoader downloads and runs various RATs and Ratty is an open-source RAT written in Java.

    At the end researchers added that although JavaScript is a less common malware file format than Microsoft Office archives and documents, antivirus software poorly detects it. Indeed they analyzed its detection rate and got the results of 11% by antivirus engines, or eight engines.

    About Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Check Also

    Microsoft reports about malware detection in Ukrainian organizations

    Ukrainian organizations under malware attacks

    In their blog Microsoft reports about malware attacks that have recently defaced several Ukrainian government …

    Fraudsters create domains for trading stocks and cryptocurrencies

    Investment domains for trading fake stocks and cryptocurrencies

    At the beginning of 2021 experts from the CERT-GIB center saw a significant rise in …

    Leave a Reply