In Most Cases, the New Malware Is Used Only as a First-stage Malware Dropper.
The new loader quickly formed distribution agreements with at least eight malware families, all of which were developed to steal data and give attackers access over victim machines.
Because Windows hides extensions by default, if the potential target saves the malicious document on their machine, it will appear as an inoffensive text file.
This text file has been severely obfuscated to remain undetected by security programs, and it will be decrypted when the user clicks on it and opens it. When the loader is launched, it creates a VBScript file in the TEMP folder, which is then used to download the malware (RAT) payload.
According to VirusTotal scan data, these layers of obfuscation allow the virus to dodge discovery 89% of the time.
Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.
Nevertheless, if an organization has activated the restriction of executable files, such as.js,.exe,.bat, and.com files, email gateways will identify the malware.
Another method to prevent the infection chain from spreading is to modify the default file handler for JS files, permit only digitally signed scripts to function or deactivate the WSH (Windows Script Host).
According to BleepingComputer, in the last three months, the researchers were able to recoup eight distinct malware payloads from RATDispenser. These malware families are:
- Panda Stealer
STRRAT and WSHRAT (aka “Houdini”), two sophisticated credential stealers and keyloggers, are distributed by RATDispenser in 81% of malware drop situations. The only two payloads that are always downloaded rather than dropped are Panda Stealer and Formbook.