According to an analysis by the HP Threat Research team, three different variants of RATDispenser have been detected in the past 3 months and 155 samples have been intercepted. All but 10 of those samples act as first-stage malware droppers that do not communicate with an attacker-controlled server. The other 10 samples are downloaders that established connections with a C2 server and delivered Formbook malware and the Panda Stealer as second-stage payloads. FormBook is a keylogger and information stealer and Panda Stealer is an information stealer that targets cryptocurrency wallets.
The malware dropper samples delivered a range of RATs and other malware from the AdWind, GuLoader, Ratty, Remcos, STRRAT, and WSHRAT malware families. The HP Threat Research team suggests the developers of RATDispenser may be operating their malware under the malware-as-a-service business model.
The poor detection rates by antivirus engines mean the emails distributing the malware may not be detected by email security gateways. The researchers said in 89% of cases the malware was able to evade security solutions. There is an easy way to ensure that the malware is not delivered, and that is to configure email security solutions to block emails containing .js files. While other executable files are not used in this campaign, it is also recommended to configure your email security solution to block other executable files such as .exe, .com, and .bat.
As an additional protection, the HP Threat Research team recommends changing the default file handler for JS files and only allowing digitally signed scripts to run, or alternatively disabling the Windows Script Host (WSH).