Javascript Malware Dropper Used to Deploy Multiple Malware Families, Research Finds

Bitdefender Antivirus Buy Online

Security researchers have identified a new malware dropper that was dubbed RATDispenser because it can be used to drop various malware families and can be deployed under a a malware-as-a-service business model.

Infecting a device is complicated, especially when the user has security deployed. Modern malware usually arrives through third-party tools, named droppers, which security solutions are less likely to detect as malicious. Even so, getting past a security solution is challenging, so attackers use obfuscation techniques to try to trick the protection.

RATDispenser, one such dropper, was identified by security researchers from the HP Threat Research team.

“RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device,” said the team. “Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload.”

“The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model,” they added.

Uses are infected through the usual route, meaning they open the attachment from an email and run a Javascript that eventually downloads a malware payload. The script is deleted if all the steps have been completed.

What differs somewhat about this dropper is the number of possible payloads, which include STRRAT, WSHRAT, AdWind, Formbook, Remcos and Panda Stealer, to name a few. The team also published a complete list of indicators of compromise.