How can we help?
In observation, RATDispenser was mostly used as a dropper, meaning malware is installed without additional network activity, but download capabilities were also seen. The payloads were all Remote Access Trojans (RAT), used to grant access to malicious actors and steal information.
The loader was seen distributing eight different malware families.
Payloads are used for remote access, keylogging and credential stealing.
The initial JS component writes a VBScript file and executes it using cmd.exe.
A detection based on execution of VB scripts should be able to pick this up.
HP researchers have posted a YARA rule which should detect this file to their GitHub.
Containment, Mitigations & Remediations
To mitigate the threat, the researchers suggest:
– Block executable email attachment file types
– Allow only digitally-signed scripts to run
– Disable Windows Script Host (WSH)
Indicators of Compromise
- 00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -> Formbook
- 026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -> STRRAT
- 0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -> WSHRAT
- 094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -> AdWind
- 2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -> RemcosRAT
- 942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -> Panda Stealer
- b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -> GuLoader
A full list of hashes are available on GitHub
Droppers are often small pieces of code without much engineering behind them. When one gets “burned” or detection rates increase then it’s easy to knock up another one. For this reason they can often be hard for signature-based detections to pick up.