RATDispenser is used to deliver at least eight different Trojans to attacked systems for remote access.
According to a new report from HP specialists, over the past three months hackers have been actively using the RATDispenser dropper to deliver at least eight different remote access Trojans (RATs) to attacked systems, such as STTRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader and Ratty.
RATDispenser is written in JavaScript and spreads via emails with a malicious attachment. In order to convince the victim to open it, attackers use a well-known trick with a double extension (filename.txt.js), passing off JavaScript code as a text file. After the victim opens the attachment, RATDispenser decrypts itself and runs in a standalone VBScript file, which then installs the RAT.
“The variety of malware families, many of which can be purchased or downloaded for free from clandestine marketplaces, and the fact that malware operators prefer it to download their programs, suggests that the authors of RATDispenser can operate on the business model of“ malware Software as a Service, ”said Patrick Schläpfer, an analyst at HP Wolf Security.
In total, HP specialists identified about 155 samples of the new malware. There are currently only three versions of RATDispenser, which means it has only been around for a few months.
RATDispenser is a dropper - a type of malware used to install other threats on systems under attack. Unlike bootloaders, droppers contain the final payload in themselves and do not connect to C&C servers. This makes them less versatile, but more invisible.
Indicators of compromise are presented in the HP Wolf Security report.
According to a new report from HP specialists, over the past three months hackers have been actively using the RATDispenser dropper to deliver at least eight different remote access Trojans (RATs) to attacked systems, such as STTRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader and Ratty.
RATDispenser is written in JavaScript and spreads via emails with a malicious attachment. In order to convince the victim to open it, attackers use a well-known trick with a double extension (filename.txt.js), passing off JavaScript code as a text file. After the victim opens the attachment, RATDispenser decrypts itself and runs in a standalone VBScript file, which then installs the RAT.
“The variety of malware families, many of which can be purchased or downloaded for free from clandestine marketplaces, and the fact that malware operators prefer it to download their programs, suggests that the authors of RATDispenser can operate on the business model of“ malware Software as a Service, ”said Patrick Schläpfer, an analyst at HP Wolf Security.
In total, HP specialists identified about 155 samples of the new malware. There are currently only three versions of RATDispenser, which means it has only been around for a few months.
RATDispenser is a dropper - a type of malware used to install other threats on systems under attack. Unlike bootloaders, droppers contain the final payload in themselves and do not connect to C&C servers. This makes them less versatile, but more invisible.
Indicators of compromise are presented in the HP Wolf Security report.
