RATDispenser JavaScript Loader

Researchers discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy dangerous remote access trojans.

Dubbed RATDispenser, the malware has been distributed in the wild through email messages carrying malicious file attachments.

These files abuse the classic double extension trick (filename.txt.js) to pose as text files but run JavaScript code when users try to open them. RATDispenser malware decodes itself and runs a self-contained VBScript file that then installs a commodity remote access trojan on the infected device.

The malware had been used to drop at least eight different RAT strains, such as STTRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.

The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model.

Around 155 samples of this new malware discovered, spanning across three different versions. RATDispenser as a dropper, a type of malware used to install other threats. Droppers are different from loaders (also known as downloaders), as they contain the final payload in their body and don’t communicate with a command and control server, meaning they are less versatile but slightly stealthier.

Indicators of Compromise

• 026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3
• 0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 
• 094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a
• 2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9
• 942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a
• b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92