IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

RATDispenser evades nine in ten anti-virus engines

Stealth malware deploys key loggers and information stealers

RATDispenser evades nine in ten anti-virus engines

Security researchers have discovered a strain of malware tailored to avoid detection by anti-virus engines. Dubbed RATDispenser, the software delivers remote access trojans (RATs) and information stealers that can log a victim's keystrokes and even steal cryptocurrency information. 

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

In a report published today, HP Wolf Security revealed that only 11% of the available anti-virus engines detected the JavaScript-based program. It uses several layers of obfuscation to cover its tracks. 

RATDispenser arrives as a malicious email with an executable attachment. This is typically a JavaScript file that impersonates a text file. Clicking on the link launches the JavaScript, which then decodes itself before using cmd.exe to write a VBScript to the Windows %TEMP% folder. 

RATDispenser doesn't execute its own payload. Instead, it is a delivery system that installs other malware. The installed script deploys one of eight malware families, all of which are either RATs, key loggers, or information stealers. According to the report, four in five malware families detected were STRRAT and WSHRAT. These are RATs written in Java and VBS. 

One of the most notable malware families delivered via the dropper was Panda Stealer. This is a fileless malware strain that targets cryptocurrency wallets. It steals private keys and records of past transactions, according to a separate Trend Micro report. It can also steal credentials from other services including NordVPN, Discord, and Telegram, while taking screenshots of the victim's system. 

One step that RATDispenser frequently takes to fly under the radar is to drop, rather than download, its payloads. In 94% of detected cases, the program carries the payload with it. This enables it to decode and deliver the malware locally rather than downloading it over the network. That makes it harder for network monitoring software to spot. 

Despite the malware's effectiveness at evading anti-virus protection, administrators can take some preventative action, according to HP's researchers. They can block executable email attachments including JavaScript and VBScript and change the default handler for JavaScript files. They can also prevent unsigned scripts from running and disable Windows Script Host. The company has also published a YARA rule to spot the malware.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
Millions of routers and NAS devices vulnerable to BotenaGo malware
malware

Millions of routers and NAS devices vulnerable to BotenaGo malware

12 Nov 2021
US Treasury sanctions crypto exchange Chatex over ransomware ties
ransomware

US Treasury sanctions crypto exchange Chatex over ransomware ties

9 Nov 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022