A new JavaScript malware dubbed RATDispenser is being used to deliver at least 8 different Remote Access Trojans (RATs), information stealers, and keyloggers.
According to an analysis by the HP Threat Research team, three different variants of RATDispenser have been detected in the past 3 months and 155 samples have been intercepted. All but 10 of those samples act as first-stage malware droppers that do not communicate with an attacker-controlled server. The other 10 samples are downloaders that established connections with a C2 server and delivered Formbook malware and the Panda Stealer as second-stage payloads. FormBook is a keylogger and information stealer and Panda Stealer is an information stealer that targets cryptocurrency wallets.
The malware dropper samples delivered a range of RATs and other malware from the AdWind, GuLoader, Ratty, Remcos, STRRAT, and WSHRAT malware families. The HP Threat Research team suggests the developers of RATDispenser may be operating their malware under the malware-as-a-service business model.
JavaScript malware droppers are less common than archives and Microsoft Office files, and they are generally poorly detected by antivirus solutions. RATDispenser has several layers of obfuscation to evade security solutions, and currently few antivirus engines are detecting the malware. The HP Threat Research team said out of the 155 malware samples, 77 were on VirusTotal and only 8 AV engines (11%) identified RATDispenser as malware.
RATDispenser is being delivered via spam emails. The emails intercepted by the HP Threat Research team had a JavaScript attachment with a double extension to make it appear to be a .txt file – New Order.TXT.js. If Windows is configured not to display the extensions of known file types, which it is by default, the file will appear as New Order.TXT. The emails had the subject line “Product Specification” and masqueraded as orders.
While malicious Office files require the user to open the attachment and enable content to allow scripts to run, double-clicking on the JavaScript file is all that is required to launch the malware. When opened, the JavaScript loader will write a VBScript file to the %TEMP% folder, then execute the VBScript, which will deliver the malware payloads. In 81% of cases, RATDispenser delivers the Java-based RAT – STRRAT and WSHRAT, which is a variant of the Houdini worm.
The poor detection rates by antivirus engines mean the emails distributing the malware may not be detected by email security gateways. The researchers said in 89% of cases the malware was able to evade security solutions. There is an easy way to ensure that the malware is not delivered, and that is to configure email security solutions to block emails containing .js files. While other executable files are not used in this campaign, it is also recommended to configure your email security solution to block other executable files such as .exe, .com, and .bat.
As an additional protection, the HP Threat Research team recommends changing the default file handler for JS files and only allowing digitally signed scripts to run, or alternatively disabling the Windows Script Host (WSH).