[MART] - Daily Diary #397 - Meet RATDispenser, a Javascript Malware

CTAS-MAT ctas-mat at appgate.com
Wed Nov 24 21:00:55 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

11/24/2021 - Diary entry #397

Disclosed this week, RATDispenser is a new Javascript written malware that double as Dropper/Downloader. In our Daily Diary #328, we covered the difference between downloaders and droppers. In resume, when acting as a dropper, this malware embeds the next stage payload into its own code, having no need to make an external request. When acting as a downloader, the malware access an URL and receives the payload stored before executing it.

RATDispenser campaigns were found sending e-mails with a .txt.js file. As Windows hides the file extensions by default, by using the double extension, a file can disguise as another file type to the common user.

What is curious about this threat is the variety of malware it can drop/download. As a dropper, it was used by the families Remcos, STRRAT, GuLoader, Ratty and AdWind. As a downloader, it was used by the families PandaStealer, Formbook and WSHRat.

Although analysing Javascript is an easy task for most AntiVirus solution, RATDispenser uses heavy obfuscation and has low detection rates on VirusTotal.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211124/98b4af51/attachment.htm>


More information about the MART mailing list