RATDispenser evades nine in ten anti-virus engines

RATDispenser evades nine in ten anti-virus engines

Security researchers have discovered a strain of malware tailored to avoid detection by anti-virus engines. Dubbed RATDispenser, the software delivers remote access trojans (RATs) and information stealers that can log a victim's keystrokes and even steal cryptocurrency information.


Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures


In a report published today, HP Wolf Security revealed that only 11% of the available anti-virus engines detected the JavaScript-based program. It uses several layers of obfuscation to cover its tracks.

RATDispenser arrives as a malicious email with an executable attachment. This is typically a JavaScript file that impersonates a text file. Clicking on the link launches the JavaScript, which then decodes itself before using cmd.exe to write a VBScript to the Windows %TEMP% folder.

RATDispenser doesn't execute its own payload. Instead, it is a delivery system that installs other malware. The installed script deploys one of eight malware families, all of which are either RATs, key loggers, or information stealers. According to the report, four in five malware families detected were STRRAT and WSHRAT. These are RATs written in Java and VBS.

One of the most notable malware families delivered via the dropper was Panda Stealer. This is a fileless malware strain that targets cryptocurrency wallets. It steals private keys and records of past transactions, according to a separate Trend Micro report. It can also steal credentials from other services including NordVPN, Discord, and Telegram, while taking screenshots of the victim's system.

One step that RATDispenser frequently takes to fly under the radar is to drop, rather than download, its payloads. In 94% of detected cases, the program carries the payload with it. This enables it to decode and deliver the malware locally rather than downloading it over the network. That makes it harder for network monitoring software to spot.

Despite the malware's effectiveness at evading anti-virus protection, administrators can take some preventative action, according to HP's researchers. They can block executable email attachments including JavaScript and VBScript and change the default handler for JavaScript files. They can also prevent unsigned scripts from running and disable Windows Script Host. The company has also published a YARA rule to spot the malware.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.