RATDispenser evades nine in ten anti-virus engines

Stealth malware deploys key loggers and information stealers

RATDispenser evades nine in ten anti-virus engines

Security researchers have discovered a strain of malware tailored to avoid detection by anti-virus engines. Dubbed RATDispenser, the software delivers remote access trojans (RATs) and information stealers that can log a victim's keystrokes and even steal cryptocurrency information. 

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

In a report published today, HP Wolf Security revealed that only 11% of the available anti-virus engines detected the JavaScript-based program. It uses several layers of obfuscation to cover its tracks. 

RATDispenser arrives as a malicious email with an executable attachment. This is typically a JavaScript file that impersonates a text file. Clicking on the link launches the JavaScript, which then decodes itself before using cmd.exe to write a VBScript to the Windows %TEMP% folder. 

RATDispenser doesn't execute its own payload. Instead, it is a delivery system that installs other malware. The installed script deploys one of eight malware families, all of which are either RATs, key loggers, or information stealers. According to the report, four in five malware families detected were STRRAT and WSHRAT. These are RATs written in Java and VBS. 

One of the most notable malware families delivered via the dropper was Panda Stealer. This is a fileless malware strain that targets cryptocurrency wallets. It steals private keys and records of past transactions, according to a separate Trend Micro report. It can also steal credentials from other services including NordVPN, Discord, and Telegram, while taking screenshots of the victim's system. 

One step that RATDispenser frequently takes to fly under the radar is to drop, rather than download, its payloads. In 94% of detected cases, the program carries the payload with it. This enables it to decode and deliver the malware locally rather than downloading it over the network. That makes it harder for network monitoring software to spot. 

Despite the malware's effectiveness at evading anti-virus protection, administrators can take some preventative action, according to HP's researchers. They can block executable email attachments including JavaScript and VBScript and change the default handler for JavaScript files. They can also prevent unsigned scripts from running and disable Windows Script Host. The company has also published a YARA rule to spot the malware.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
Millions of routers and NAS devices vulnerable to BotenaGo malware
malware

Millions of routers and NAS devices vulnerable to BotenaGo malware

12 Nov 2021
US Treasury sanctions crypto exchange Chatex over ransomware ties
ransomware

US Treasury sanctions crypto exchange Chatex over ransomware ties

9 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021