Malicious JavaScript Loader is a Multi-RAT Dispenser

Malicious JavaScript Loader is a Multi-RAT Dispenser

Researchers are warning of a new JavaScript loader being used to distribute eight Remote Access Trojans (RATs) in information-stealing campaigns.

A team at HP Wolf named the tool “RATDispenser,” and warned that it currently has a detection rate of only 11%.

“As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device,” explained HP malware analyst, Patrick Schläpfer.

“Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper in 94% of samples analyzed, meaning the malware doesn’t communicate over the network to deliver a malicious payload.”

RATDispenser arrives as a malicious attachment in a phishing email. If the user double clicks, it will run, at which time the obfuscated JavaScript decodes itself and writes a VBScript file to a temporary folder using cmd.exe.

This VBScript file then downloads the malware payload and, if successful, will subsequently delete itself.

The eight malware families include: keylogger and info-stealer Formbook; Java RAT STRRAT, which has remote access, credential stealing and keylogging features; downloader GuLoader; and an open source Java RAT known as Ratty.

According to Schläpfer,

Read More: