In phishing attempts, a new covert JavaScript loader known as RATDispenser is being used to infect machines with various remote access trojans (RATs). At least eight malware families quickly established distribution relationships with the innovative loader, all designed to steal information and give perpetrators access over victim computers.
RATDispenser does not connect with an actor-controlled server in 94 percent of the instances examined by the HP Threat Research team and is only employed as a first-stage malware dropper. This loader uses JavaScript attachments, which HP finds to have poor detection rates, in contrast to the pattern of using Microsoft Office documents to deliver payloads.
The infection begins through a phishing email containing a nefarious JavaScript attachment with the double-extension ‘.TXT.js’. Because Windows conceals extensions by default, a recipient’s machine will see the file as a harmless text file if they save it. This text file is severely obfuscated to avoid detection by the security software, and when double-clicked and started, it will be decrypted.
When the loader is run, it will write a VBScript file to the TEMP folder, executed to download the malware (RAT) payload. According to VirusTotal scan data, these layers of obfuscation let the virus elude detection 89 percent of the time.
According to the HP report, although JavaScript is a less prevalent malware file type than Microsoft Office documents and files, it is often overlooked. They were able to assess the detection rates of 77 of their 155 RATDispenser samples that were published on VirusTotal. RATDispenser samples were only discovered by 11 percent of available anti-virus engines, or eight engines in absolute numbers, based on the earliest scan result for each sample.
If the company has activated the blocking of executable attachments, such as.js,.exe,.bat, and.com files, email gateways will identify the loader. Change the standard file handler for JS files, enable only digitally signed scripts to run, or deactivate the WSH (Windows Script Host) to stop the infection chain from spreading.
