RATDispenser a JavaScript Based Loader

Industry: N/A | Level: Tactical | Source: HP - ThreatResearch

HP Threat Research shared findings of an evasive JavaScript loader designated, "RATDispenser." Its goal is to establish initial access and distribute additional malware. Several malware families have been observed to be the distributor; RemcosRAT, STRRAT, GuLoader, Ratty, AdWind, Panda Stealer, Formbook, and WSHRAT. STRRAT and WSHRAT accounting for the majority with 81% of the samples analyzed. Given the variety of the malware used, it is suggested the dispenser is utilized under a malware-as-a-service model. The infection chain is summarized through a malicious email containing a js file, execution triggers wscript and cmd to set up a VBScript which downloads the malware payload and executes it.

• Anvilogic Scenario: RATDispenser - JavaScript Loader Behaviors