Warning! New RAT and Infostealer Malware Distributed in Phishing Campaign

Security researchers with HP have been tracking a new malicious tool, or rather a bundle of tools used to spread malware and steal information from victim systems.

The initial payload in the attacks in this new campaign is a file downloader coded in JavaScript, which in turn is used to distribute a number of different secondary payloads comprised of remote access trojans and credentials and information exfiltration tools. The HP research team has called the threat RATDispenser, due to the nature of the secondary payloads used in the attacks.

Researchers found that RATDispenser was used to distribute as many as eight different malware families. This variety also led to the stipulation that RATDispenser itself may be licensed out to threat actors using a malware-as-a-service scheme.

Before even the JavaScript downloader is introduced to the victim's system, the very first step of the infection chain is a traditional phishing campaign.

Victims receive a fake "product order" email, containing what the bad actors claim is a text file with information related to the fake order. Trying to open the text file starts the installation of the downloader. The JavaScript code in the initial payload is obfuscated further, to help dodge automated defenses.

The RATDispenser has been found to distribute and download some popular remote access trojans such as WSHRAT and STRRAT, with just those two making up the majority of observed payloads.

What is even more worrying is that just 11% of the anti-malware tools used in tests with the new malware managed to detect it. This level of evasion can spell a lot of trouble for potential victims, even if they do have a security suite installed.

Remote access trojans and keylogger or infostealer malware are particularly insidious because they do their best to avoid detection once they make their way on a victim system. There is no destructive action, no flashing red ransomware sign, no loss of system stability. This means the bad actors operating those malicious tools can potentially spend a very long time on a host system, exfiltrating data, passwords and keystrokes.