HP Threat Research Blog RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild

November 23, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild

Threat actors are always looking for stealthy ways of delivering malware without being detected. In this article, we describe how attackers are using an evasive JavaScript loader, that we call RATDispenser, to distribute remote access Trojans (RATs) and information stealers. With an 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware. In total, we identified eight malware families distributed using this malware during 2021. All the payloads were RATs, designed to steal information and give attackers control over victim devices.

As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload. The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model.

In this report we:

  • Analyze the infection chain of RATDispenser and suggest detection opportunities for detecting and blocking the malware
  • Describe how RATDispenser is obfuscated
  • Discuss the malware families distributed by RATDispenser
  • Share a