[TheRecord] New JavaScript malware works as a “RAT dispenser”

Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy much dangerous remote access trojans (RATs).

Cleverly named RATDispenser, the malware has been distributed in the wild for at least three months in the form of email messages carrying malicious file attachments.

These files abuse the classic double-extension trick (filename.txt.js) to pose as text files but run JavaScript code when users try to open them.

Once this happens, HP says the RATDispenser malware decodes itself and runs a self-contained VBScript file that then installs a commodity remote access trojan on the infected device.

Over the past three months, HP said the malware had been used to drop at least eight different RAT strains, such as STTRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.

Image: HP

“The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model,” Patrick Schläpfer, malware analyst at HP’s Wolf Security, said in a report published this week.

Schläpfer said HP has discovered around 155 samples of this new malware, spanning across three different versions, suggesting the malware may be in its first months of development.

Schläpfer described RATDispenser as a dropper, a type of malware used to install other threats. Droppers are different from loaders (also known as downloaders), as they contain the final payload in their body and don’t communicate with a command and control server, meaning they are less versatile but slightly stealthier.

Indicators of compromise are available in the HP Wolf Security report.

The post New JavaScript malware works as a “RAT dispenser” appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Get unlimited StackSkills courses, a VPN lifetime sub, and a password manager for just $50

All posts, ZDNet

You can change your entire life with permanent unlimited access to thousands of training classes, as well as the tools to keep you safe if you choose courses that will allow you to work from exotic locations. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Austrac limited when regulating overseas terrorism financing via online platforms

All posts, ZDNet

Online platforms such as Telegram and cryptocurrency exchange platforms are increasingly being used to fund terrorism, according to Australia’s money laundering and terrorism financing watchdog. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] Insurance giant CNA fully restores systems after ransomware attack

Leading US-based insurance company CNA Financial has fully restored systems following a Phoenix CryptoLocker ransomware attack that hits its network during late March and disrupted online services and business operations. […] Source: Read More (BleepingComputer)

Read More