Home / About / Threat Intelligence / RATDispenser Loader

Overview

Threat researchers at HP have published a report on a stealthy JavaScript loader which they call RATDispenser.

In observation, RATDispenser was mostly used as a dropper, meaning malware is installed without additional network activity, but download capabilities were also seen. The payloads were all Remote Access Trojans (RAT), used to grant access to malicious actors and steal information.

Impact

The loader was seen distributing eight different malware families.
Payloads are used for remote access, keylogging and credential stealing.

Detection

The initial JS component writes a VBScript file and executes it using cmd.exe.
A detection based on execution of VB scripts should be able to pick this up.

HP researchers have posted a YARA rule which should detect this file to their GitHub.

Containment, Mitigations & Remediations

To mitigate the threat, the researchers suggest:
– Block executable email attachment file types
– Change the default file handler for JavaScript files
– Allow only digitally-signed scripts to run
– Disable Windows Script Host (WSH)

Indicators of Compromise

  • 00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -> Formbook
  • 026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -> STRRAT
  • 0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -> WSHRAT
  • 094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -> AdWind
  • 2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -> RemcosRAT
  • 942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -> Panda Stealer
  • b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -> GuLoader

A full list of hashes are available on GitHub

Urls:

Panda Stealer
hxxps://paste[.]ee/r/ZnmM9
hxxps://paste[.]ee/r/R1fSl
hxxps://paste[.]ee/r/jeSec
hxxps://paste[.]ee/r/hRcus
hxxps://paste[.]ee/r/O6bFN
hxxps://paste[.]ee/r/Kcxxm

Formbook
hxxp://195[.]133[.]40[.]98/files/new[.]exe
hxxp://185[.]219[.]133[.]122/svc[.]exe
hxxp://185[.]219[.]133[.]122/task[.]exe
hxxp://103[.]141[.]138[.]12/host[.]exe

Threat Landscape

Droppers are often small pieces of code without much engineering behind them. When one gets “burned” or detection rates increase then it’s easy to knock up another one. For this reason they can often be hard for signature-based detections to pick up.

Mitre Methodologies

T1566.001 – Spearphishing Attachment
T1059.007 – Command and Scripting Interpreter (JavaScript)

Further Information

RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild