A new malware loader is active in the wild, targeting users with RATs and infostealers. Researchers have identified this malware as ‘RATDispenser’ – a JavaScript malware loader.
RATDispenser Malware Loader Targets Passwords
As elaborated in a recent blog post, researchers from the HP Threat Research team have identified a new malware loader running active campaigns. Dubbed ‘RATDispenser,’ this malware is actually a malware loader that delivers remote access trojans (RAT) and infostealers.
Briefly, RATDispenser is a stealth JavaScript loader that escapes most security measures. The threat actors also employ malware obfuscation to evade detection. It currently delivers malware from roughly eight different malware families. And its ultimate aim is to steal user data, especially account credentials.
RATDispenser mainly acts as a malware dropper in the entire attack flow as it “gains an initial foothold” on the target device.
The threat actors are currently spreading this malware loader via phishing emails. Clicking on the malicious file in the emails would execute the malware on the target device.
Currently, RATDispenser has a meagre detection rate.
Given how it distributes different malware families, the researchers suspect that RATDispenser primarily is used as malware-as-a-service.
The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model.
Preventing RATDispenser Attack
The malware primarily spreads via phishing emails. Hence, the key strategy to prevent RATDispenser attacks is to be vigilant in identifying phishing emails. Users must always double-check the legitimacy of the sender and should avoid opening any attachments or clicking embedded URLs.
Whereas, for network admins, the researchers have advised restricting email gateways.
Network defenders can prevent infection by blocking executable email attachment file types from passing through their email gateways, for example JavaScript or VBScript. Defenders can also interrupt the execution of the malware by changing the default file handler for JavaScript files, only allowing digitally signed scripts to run, or disabling Windows Script Host (WSH).
Let us know your thoughts in the comments.