A new malware downloader has been identified that is being used to deliver 8 different malware payloads, including several Remote Access Trojans (RATs) and keyloggers. The malware has been named RATDispenser by security researchers at HP Wolf Security, who recently identified and analyzed the malware.
RATDispenser is a stealthy JavaScript-based malware that is primarily being used as a malware dropper to deliver a broad range of payloads, possibly under the malware-as-a-service model. Out of 155 samples analyzed by the researchers, 145 were droppers and 10 were downloaders that communicated over the network to retrieve a secondary stage of the malware.
RATDispenser is being distributed in spam emails that contain a malicious attachment – A JavaScript file with a double extension to make it appear to be a text file (.txt). In one of the emails distributing the malware, the email had the subject line “Product Specification” and related to a fake order placed by the recipient.
JavaScript files are executable files, so simply double clicking on the attachment is all that is required to start the infection process. When the JavaScript file is executed, it decodes itself at runtime and writes a Visual Basic script file to the %TEMP% folder using cmd.exe, with the VBScript file then run which delivers the malware payloads. RATDispenser drops GuLoader, Ratty, Remcos, AdWind, STRRAT, and WSHRAT and downloads the FormBook keylogger and information stealer and the Panda Stealer cryptocurrency stealer.
The malware delivered by RATDispenser can be used to obtain credentials and other sensitive data and gives the attacker backdoor access and full control of infected devices. Once sensitive data has been obtained, the threat actor could sell access to other threat groups, such as ransomware gangs.
The range of malware variants delivered by RATDispenser makes this malware particularly dangerous, made worse by the poor detection rates by many antivirus engines. Email security solutions use antivirus engines to detect malware and malicious files, but only 11% of the 77 antivirus systems on VirusTotal are currently identifying RATDispenser as malicious.
An email security solution such as SpamTitan, which includes dual antivirus engines to detect known malware variants and sandboxing to identify malicious files that pass AV controls, is the best defense against RATDispenser. In addition, SpamTitan users should configure the solution to quarantine all emails that contain executable file attachments such as JavaScript and VBScript files.
If you want to improve your defenses against malware and other email threats, give the TitanHQ team a call to find out more about SpamTitan Email Security. SpamTitan is available on a free trial to allow you to put the product to the test in your own environment and find out for yourself the difference it makes to email security.