RATDispenser

A JavaScript loader named RATDispenser has been used by threat actors to deliver multiple malware families. To be more specific, the experts have identified eight different families of Remote Access Trojans (RATs) that were delivered via RATDispencer in 2021.

The threat actors use RATDispencer to establish an initial foothold on the compromised systems. Then, the threat launches the next-stage payload, tasked with establishing control over the device, and starting to siphon sensitive data from the device. Among the observed RAT threats dropped by RATDispencer, the biggest portion, or around 81%, was taken up by STRRAT and Houdini (WSH RAT). These malware threats are capable of securing remote access to the infected systems, running keylogging routines and collecting credentials.

RATDispenser Details

The initial infection vector involves delivering lure emails carrying corrupted attachments. Victims can be presented with an email claiming to contain information about an order. To access the supposedly important information, users are directed towards the attachment, which is a JavaScript file disguised as a normal text file. When the victim double-clicks the file, the malware is executed.

The first action of the JavaScript file is to decode itself at runtime and create a VBScript file in the %TEMP% folder using cmd.exe. Afterward, the newly-generated VBScript file is initiated to download the harmful payload. After completing its task, the file is deleted.

RATDispenser also features multiple layers of obfuscation. As a result, the threat is particularly difficult for detection, further proving its effectiveness as a RAT dropper. Appropriate counter-measures must be implemented to stop the attack chain at the earliest possible stages.