This New Stealthy JavaScript Loader Infecting Computers with Malware

JavaScript malware loader

Threat actors have been found using a previously undocumented JavaScript malware strain that acts as a loader to deploy a number of remote access Trojan horses (RATs) and information thieves.

HP Threat Research christened the new, evasive loader “RATDispenser”, with the malware responsible for implementing at least eight different malware families by 2021. About 155 samples of this new malware have been discovered, divided into three different variants, suggesting that it is under active development.

Automatic GitHub backups

“RATDispenser is used to gain an initial foothold in a system before launching secondary malware that establishes control over the compromised device,” said security researcher Patrick Schläpfer. “All the payloads were RATs, designed to steal information and give attackers control over the victim’s devices.”

As with other attacks of this kind, the starting point of the infection is a phishing e-mail that contains a malicious attachment that pretends to be a text file, but in reality the blurred JavaScript code is programmed to write and execute a VBScript file, which in turn, downloads the last phase of the malware payload on the infected machine.

JavaScript malware loader

RATDispenser has been observed for various forms of malware, including STRRAT, WSHRAT (aka Houdini or Hworm), AdWind (aka AlienSpy or Sockrat), Formbook (aka xLoader), Remcos (aka Socmer), Panda Stealer, CloudEyE (aka GuLoader), and Ratty, who are each equipped to suck sensitive data from the compromised devices, in addition to targeting cryptocurrency wallets.

Prevent data breaches

“The diversity of malware families, many of which can be purchased or downloaded for free from underground marketplaces, and the malware operators’ preference for dropping their payload, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model. , “said Schlapfer.


Please enter your comment!
Please enter your name here