HP Threat Research Blog RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild

November 23, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild

Threat actors are always looking for stealthy ways of delivering malware without being detected. In this article, we describe how attackers are using an evasive JavaScript loader, that we call RATDispenser, to distribute remote access Trojans (RATs) and information stealers. With an 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware. In total, we identified eight malware families distributed using this malware during 2021. All the payloads were RATs, designed to steal information and give attackers control over victim devices.

As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload. The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model.

In this report we:

  • Analyze the infection chain of RATDispenser and suggest detection opportunities for detecting and blocking the malware
  • Describe how RATDispenser is obfuscated
  • Discuss the malware families distributed by RATDispenser
  • Share a YARA rule and a Python extraction script so that network defenders can detect and analyze this malware

Infection Chain

Figure 1 – Email delivering RATDispenser as an attachment.

The infection chain begins with a user receiving an email containing a malicious attachment. For example, Figure 1 shows a JavaScript file (.js) masquerading as a text file, supposedly containing information about an order. The user simply needs to double-click the file to run the malware.

Network defenders can prevent infection by blocking executable email attachment file types from passing through their email gateways, for example JavaScript or VBScript. Defenders can also interrupt the execution of the malware by changing the default file handler for JavaScript files, only allowing digitally signed scripts to run, or disabling Windows Script Host (WSH).

When the malware runs, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. To do this, the cmd.exe process is passed a long, chained argument, parts of which are written to the new file using the echo function.

Figure 2 – Process execution graph showing chained command line argument.

Afterwards, the VBScript file runs, which in turn downloads the malware payload. If it was downloaded successfully, it is executed, and the VBScript file is deleted.

Obfuscation

The initial JavaScript downloader is obfuscated and contains several eval functions. One of the eval calls is a function that returns a long string, which is decoded by another function.

Figure 3 – Snippet from obfuscated JavaScript downloader.

The function that decodes the string is located further down in the script. At first sight it looks complicated, but it is a simple replacement function. First, the passed arguments are stored in a new variable. It is done this way to work correctly with an arbitrary number of arguments. Next, the replacement operation runs on the initial string. The second argument of the replace function in JavaScript is another function which returns the replacement string. In this case, the second argument to this inline function is the capturing group which matches the regular expression {\d+}. Since the capturing group is a decimal number, it is used as an index for the arguments array which is returned as a replacement string. In case of an index out of bounds exception, the function returns the whole matching string, which was most likely implemented to handle mismatches.

Figure 4 – Deobfuscation function using regular expression replacement.

To decode the string shown in Figure 3, three arguments (A, u, F) are passed to the function. The decoded string is Base64 encoded which can simply be decoded to analyze it in more detail. By creating and writing an ActiveX Data Stream Object this sequence is decoded and executed using an eval statement. The newly decoded second stage code looks as follows (Figure 5).