New malware dispenses RAT droppings

A new javascript downloader named 'RATDispenser', distributing eight different Remote Access Trojans, keyloggers and information stealers has been uncovered by HP Wolf Security.

Most worrying is that RATDispenser is only detected by 11 percent of available anti-virus engines, meaning it's able to bypass detection tools and successfully deploy malware in the majority of cases.

The malware uses several techniques to evade detection that are particularly dangerous. For example, using a JavaScript file that is masquerading as a text file means a user only has to double click on the file to start the malware downloader. The downloader script itself is also obfuscated to hide malicious code avoid detection of malware scanning tools.

"It's particularly concerning to see RATDispenser only being detected by about 11 percent of anti-virus systems, resulting in this stealthy malware successfully deploying on victims’ endpoints in most cases," says Patrick Schlapfer, malware analyst at HP. "RATs and keyloggers pose a silent threat, helping attackers to gain backdoor access to infected computers and steal credentials from business accounts or even cryptocurrency wallets. From here, cybercriminals can siphon off sensitive data, escalate their access, and in some cases sell this access on to ransomware groups."

To guard against the attack it's recommended that businesses audit what email attachment file types are allowed by their email gateway and block executable file types that aren't needed. They can also interrupt the execution of the malware by changing the default file handler for JavaScript files, only allowing digitally signed scripts to run, or disabling Windows Script Host (WSH).

HP Wolf Security also has available a free YARA rule, Python extraction script, and published Indicators of Compromise (IoCs) which can be used to detect and analyse the malware.

You can read more about the threat on the HP site.

Image Credit: Pakhnyushchyy/depositphotos.com