Threat actors have been observed employing a earlier undocumented JavaScript malware pressure that features as a loader to distribute an array of remote obtain Trojans (RATs) and information and facts stealers.
HP Menace Investigation dubbed the new, evasive loader “RATDispenser,” with the malware responsible for deploying at the very least 8 diverse malware households in 2021. All-around 155 samples of this new malware have been uncovered, distribute across 3 unique variants, hinting that it is underneath active enhancement.
“RATDispenser is utilised to obtain an first foothold on a technique before launching secondary malware that establishes regulate over the compromised gadget,” security researcher Patrick Schläpfer reported. “All the payloads had been RATs, developed to steal information and facts and give attackers control about target units.”
As with other attacks of this kind, the commencing point of the infection is a phishing e-mail that contains a destructive attachment, which masquerades as a text file, but in reality is obfuscated JavaScript code programmed to generate and execute a VBScript file, which, in turn, downloads the final-stage malware payload on the infected machine.
RATDispenser has been noticed dropping distinct types of malware, which include STRRAT, WSHRAT (aka Houdini or Hworm), AdWind (aka AlienSpy or Sockrat), Formbook (aka xLoader), Remcos (aka Socmer), Panda Stealer, CloudEyE (aka GuLoader), and Ratty, each and every of which are geared up to siphon delicate data from the compromised equipment, in addition to targeting cryptocurrency wallets.
“The range in malware households, quite a few of which can be bought or downloaded freely from underground marketplaces, and the preference of malware operators to fall their payloads, propose that the authors of RATDispenser may possibly be working under a malware-as-a-company enterprise model,” Schläpfer explained.