Last Updated on 29/11/2021 by Nidhi Khandelwal
According to HP Threat Research, the actors behind RATDispenser may be using a Malware-as-a-Service (MaaS) architecture to transmit eight malware families.
STRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty are among the malware families supplied.
All of the payloads were identified as RATs, which collect information and allow attackers to take control of victims’ devices.
RATDispenser was used in the majority of the attacks to obtain initial access before launching secondary malware to take control of the device.
RATDispenser is being used as a dropper in 94 percent of the examined samples, indicating that it does not communicate over the network to transmit a malicious payload.
A user receives an email containing a malicious attachment, which starts the infection chain. For instance, a JavaScript file (.js) disguised as a text file providing order information.
When a user double-clicks the file to open it, the malware is executed. Then, using cmd[.]exe at runtime, JavaScript decodes itself and writes a VBScript file in the percent TEMP percent folder.
A lengthy and chained argument is supported by the cmd[.]exe process. The echo function is then used to write sections of this to a new file. The VBScript file then executes and downloads the malware payload.
If the malware payload is downloaded successfully, it is run and the VBScript file is deleted.
RATDispenser is thought to be distributed as MaaS and has been seen spreading a variety of malware. As a result, enterprises should implement reliable anti-malware and anti-phishing solutions, as well as network firewalls. Furthermore, always
