HP Threat Research Blog RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild

November 23, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild

Threat actors are always looking for stealthy ways of delivering malware without being detected. In this article, we describe how attackers are using an evasive JavaScript loader, that we call RATDispenser, to distribute remote access Trojans (RATs) and information stealers. With an 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware. In total, we identified eight malware families distributed using this malware during 2021. All the payloads were RATs, designed to steal information and give attackers control over victim devices.

As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload. The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model.

In this report we:

  • Analyze the infection chain of RATDispenser and suggest detection opportunities for detecting and blocking the malware
  • Describe how RATDispenser is obfuscated
  • Discuss the malware families distributed by RATDispenser
  • Share a YARA rule and a Python extraction script so that network defenders can detect and analyze this malware

Infection Chain

Figure 1 – Email delivering RATDispenser as an attachment.

The infection chain begins with a user receiving an email containing a malicious attachment. For example, Figure 1 shows a JavaScript file (.js) masquerading as a text file, supposedly containing information about an order. The user simply needs to double-click the file to run the malware.

Network defenders can prevent infection by blocking executable email attachment file types from passing through their email gateways, for example JavaScript or VBScript. Defenders can also interrupt the execution of the malware by changing the default file handler for JavaScript files, only allowing digitally signed scripts to run, or disabling Windows Script Host (WSH).

When the malware runs, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. To do this, the cmd.exe process is passed a long, chained argument, parts of which are written to the new file using the echo function.

Figure 2 – Process execution graph showing chained command line argument.

Afterwards, the VBScript file runs, which in turn downloads the malware payload. If it was downloaded successfully, it is executed, and the VBScript file is deleted.

Obfuscation

The initial JavaScript downloader is obfuscated and contains several eval functions. One of the eval calls is a function that returns a long string, which is decoded by another function.

Figure 3 – Snippet from obfuscated JavaScript downloader.

The function that decodes the string is located further down in the script. At first sight it looks complicated, but it is a simple replacement function. First, the passed arguments are stored in a new variable. It is done this way to work correctly with an arbitrary number of arguments. Next, the replacement operation runs on the initial string. The second argument of the replace function in JavaScript is another function which returns the replacement string. In this case, the second argument to this inline function is the capturing group which matches the regular expression {\d+}. Since the capturing group is a decimal number, it is used as an index for the arguments array which is returned as a replacement string. In case of an index out of bounds exception, the function returns the whole matching string, which was most likely implemented to handle mismatches.

Figure 4 – Deobfuscation function using regular expression replacement.

To decode the string shown in Figure 3, three arguments (A, u, F) are passed to the function. The decoded string is Base64 encoded which can simply be decoded to analyze it in more detail. By creating and writing an ActiveX Data Stream Object this sequence is decoded and executed using an eval statement. The newly decoded second stage code looks as follows (Figure 5).

Figure 5 – Decoded JavaScript downloader string.

The most notable part of this sequence are the hex characters stored in a nested array, which is used as another layer of obfuscation. Using an ActiveX object, a shell application instance is created, passing a long, chained argument. By simply adding line breaks after the & characters, we can reformat the command line argument into a readable format.

Figure 6 – Command line arguments passed to cmd.exe.

The first parts of the command line argument are used to write lines to a VBScript file using an echo function. This file is then executed, resulting in a download through an XMLHTTP object. The response to the GET request – the malware payload – is written to a file called YVC.JAR. The VBScript file is then deleted. Afterwards, the cmd.exe process waits 12 seconds, before running the payload.

Malware Payloads

We have seen RATDispenser distribute eight malware families. In the example above, it delivered Formbook, a keylogger and information stealer. To analyze which malware families the loader is spreading, we wrote a signature to track sightings in the wild. Its obfuscation made this task more complicated than usual. The malware splits strings using the replace function, stores them in nested arrays, and interprets and executes commands using eval functions, so it is difficult to find consistent patterns in them. Nevertheless, we wrote a YARA rule (Figure 7) to understand the dispersion of malware families.

rule js_RATDispenser : downloader
{
  meta:
    description = "JavaScript downloader resp. dropper delivering various RATs"
    author = "HP Threat Research @HPSecurity"
    filetype = "JavaScript"
    maltype = "Downloader"
    date = "2021-05-27" 

  strings:
    $a = /{(\d)}/

    $c1 = "/{(\\d+)}/g"
    $c2 = "eval"
    $c3 = "prototype"

    $d1 = "\\x61\\x64\\x6F\\x64\\x62\\x2E"
    $d2 = "\\x43\\x68\\x61\\x72\\x53\\x65\\x74"
    $d3 = "\\x54\\x79\\x70\\x65"

    $e1 = "adodb."
    $e2 = "CharSet"
    $e3 = "Type"

    $f1 = "arguments"
    $f2 = "this.replace"

  condition:
    #a > 50 and all of ($c*) and (any of ($d*) or any of ($e*)) and all of ($f*) and filesize < 2MB
}

Figure 7 – YARA rule to detect RATDispenser.

Running a retrohunt over the last three months with this YARA rule identified 155 RATDispenser samples. Within those samples we noticed three variants. One of the variants we described above. The two other variants are a PowerShell downloader and a dropper which stores the payload as a Base64-encoded string and therefore does not perform any network requests.

We also wrote a Python script that recovers the final payload and identifies the malware family and RATDispenser variant. Analyzing the 155 malware samples with our script found:

  • 145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over the network to download a secondary stage of malware
  • 8 malware families delivered as payloads
  • All the payloads were remote access Trojans (RATs), keyloggers and information stealers

Figure 8 – Malware families distributed by RATDispenser.

By far the most frequently observed malware families were STRRAT and WSHRAT, accounting for 81% of the samples we analyzed. First seen in mid-2020, STRRAT is a Java RAT that has remote access, credential stealing and keylogging features. WSHRAT, also known as Houdini, is a VBS RAT first seen in 2013 that also has typical RAT capabilities. Slightly less common were AdWind, Formbook, Remcos and Panda Stealer.

The most interesting among them is Panda Stealer. First seen in April 2021, this is a new malware family that targets cryptocurrency wallets. The Panda Stealer sample we analyzed were all fileless variants that download additional payloads from a text storage site, paste.ee. The least common families were GuLoader and Ratty. GuLoader is a downloader known for downloading and running various RATs, while Ratty is an open-source RAT written in Java.

Figure 9 shows the different variants and the malware families distributed through them. Certain malware families were always downloaded – Panda Stealer and Formbook – rather than dropped. Because this JavaScript malware can operate as a downloader or as a dropper, and distributes RATs exclusively, we refer to it internally as RATDispenser.

 

Figure 9 – Overview of RATDispenser variants and the malware families they delivered.

Detection

Although JavaScript is a less common malware file format than Microsoft Office documents and archives, in many cases it is more poorly detected. From our set of 155 RATDispenser samples, 77 were available on VirusTotal which allowed us to analyze their detection rates. Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.

Indicators of Compromise

You can find the full set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.

00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -> Formbook
026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -> STRRAT
0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -> WSHRAT
094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -> AdWind
2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -> RemcosRAT
942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -> Panda Stealer
b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -> GuLoader

2021-11-23T13:31:43-08:00November 23rd, 2021|Threat Research|