IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

RATDispenser evades nine in ten anti-virus engines

Stealth malware deploys key loggers and information stealers

RATDispenser evades nine in ten anti-virus engines

Security researchers have discovered a strain of malware tailored to avoid detection by anti-virus engines. Dubbed RATDispenser, the software delivers remote access trojans (RATs) and information stealers that can log a victim's keystrokes and even steal cryptocurrency information. 

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

In a report published today, HP Wolf Security revealed that only 11% of the available anti-virus engines detected the JavaScript-based program. It uses several layers of obfuscation to cover its tracks. 

RATDispenser arrives as a malicious email with an executable attachment. This is typically a JavaScript file that impersonates a text file. Clicking on the link launches the JavaScript, which then decodes itself before using cmd.exe to write a VBScript to the Windows %TEMP% folder. 

RATDispenser doesn't execute its own payload. Instead, it is a delivery system that installs other malware. The installed script deploys one of eight malware families, all of which are either RATs, key loggers, or information stealers. According to the report, four in five malware families detected were STRRAT and WSHRAT. These are RATs written in Java and VBS. 

One of the most notable malware families delivered via the dropper was Panda Stealer. This is a fileless malware strain that targets cryptocurrency wallets. It steals private keys and records of past transactions, according to a separate Trend Micro report. It can also steal credentials from other services including NordVPN, Discord, and Telegram, while taking screenshots of the victim's system. 

One step that RATDispenser frequently takes to fly under the radar is to drop, rather than download, its payloads. In 94% of detected cases, the program carries the payload with it. This enables it to decode and deliver the malware locally rather than downloading it over the network. That makes it harder for network monitoring software to spot. 

Despite the malware's effectiveness at evading anti-virus protection, administrators can take some preventative action, according to HP's researchers. They can block executable email attachments including JavaScript and VBScript and change the default handler for JavaScript files. They can also prevent unsigned scripts from running and disable Windows Script Host. The company has also published a YARA rule to spot the malware.

Featured Resources

Mastering retention

Turning user behaviour insights into retention strategies

Free Download

Dell PowerEdge with AMD

IT applications and infrastructure are the prime catalyst for new revenue creation

Free Download

Building for success with off-premises private cloud

Leveraging co-location facilities to execute your cloud strategy

Free Download

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Free Download

Recommended

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
Millions of routers and NAS devices vulnerable to BotenaGo malware
malware

Millions of routers and NAS devices vulnerable to BotenaGo malware

12 Nov 2021
US Treasury sanctions crypto exchange Chatex over ransomware ties
ransomware

US Treasury sanctions crypto exchange Chatex over ransomware ties

9 Nov 2021

Most Popular

46 US states call for Meta monopoly lawsuit to be reinstated
mergers and acquisitions

46 US states call for Meta monopoly lawsuit to be reinstated

20 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022