Stealthy new JavaScript malware infects Windows PCs with RATs

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,260
Content source
https://www.bleepingcomputer.com/news/security/stealthy-new-javascript-malware-infects-windows-pcs-with-rats/
A new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.

The novel loader was quick to establish distribution partnerships with at least eight malware families, all designed to steal information and give actors control over the target devices.

In 94% of the cases analyzed by the HP Threat Research team, RATDispenser does not communicate with an actor-controlled server and is solely used as a first-stage malware dropper.

Going against the trend of using Microsoft Office documents to drop payloads, this loader uses JavaScript attachments, which HP found to have low detection rates.

The infection begins with a phishing email containing a malicious JavaScript attachment named with a '.TXT.js' double-extension. As Windows hides extensions by default, if a recipient saves the file to their computer, it will appear as a harmless text file.

This text file is heavily obfuscated to bypass detection by security software and will be decoded when the file is double-clicked and launched.

Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware (RAT) payload.
Click to expand...
www.bleepingcomputer.com

Stealthy new JavaScript malware infects Windows PCs with RATs

A new stealthy JavaScript malware loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.
www.bleepingcomputer.com www.bleepingcomputer.com
www.bleepingcomputer.com

Hiding Windows File Extensions is a Security Risk, Enable Now

Microsoft hides file extensions in Windows by default even though it's a security risk that is commonly abused by phishing emails and malware distributors to trick people into opening malicious files.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
Reactions: Dave Russo, oldschool, wat0114 and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,511
People often confuse JScript with JavaScript because both have (almost) the same functions and syntax. The difference is that JScript is often executed by Windows Script Host and JavaScript is usually run by the web browser (can be also run via some LOLBins). So the script runs in different environments. If the attacker wants to infect a system then the JScript attachment is more convenient because the code is executed outside the web browser (no sandbox restrictions).

A similar misunderstanding is often with VBA macros and JavaScript. VBScript. One can use a JScript (JavaScript) VBScript code as a macro code, and this will work. But in this case, the code will be run by the MS Office interpreter.
One can also use VBScript as a macro code to run the JScript file (.js). The macro will be run via MS Office interpreter and the .js script will be run via Windows Script Host. Also, mshta.exe can be invoked from the macro to run VBscript or JavaScript code embedded in the .hta file, etc.

Edit.
I corrected my stupid misspelling (I wrote JScript instead of VBScript):(
VBA is a real extension of VBScript, so the VBA code will not always run on a VBScript interpreter.
 
Last edited:
  • Like
  • Thanks
  • +Reputation
Reactions: Dave Russo, oldschool, wat0114 and 6 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,260
Andy Ful said:
People often confuse JScript with JavaScript because both have the same functions and syntax. The difference is that JScript is often executed by Windows Script Host and JavaScript is usually run by the web browser (can be also run via some LOLBins). So the script runs in different environments. If the attacker wants to infect a system then the JScript attachment is more convenient because the code is executed outside the web browser (no sandbox restrictions).

A similar misunderstanding is often with VBA macros and JavaScript. One can use a JScript (JavaScript) code as a macro code, and this will work. But in this case, the code will be run by the MS Office interpreter.
Click to expand...
Even HP and Bleeping Computer make that mistake, see the titles of those stories.
 
  • Like
Reactions: Dave Russo, oldschool, wat0114 and 6 others
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
  • Like
Reactions: Dave Russo, struppigel, Gandalf_The_Grey and 2 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Malware News Bumblebee malware returns after recent law enforcement disruption
Replies
0
Views
1,079
Security News
Gandalf_The_Grey
Gandalf_The_Grey
lokamoka820
    • Like
    • +Reputation
Malware News Android malware 'Necro' infects 11 million devices via Google Play
Replies
1
Views
1,585
Security News
i7ii
i7ii
vtqhtr413
    • Like
    • +Reputation
Malware News This new threat infects devices with a dozen malware at once
Replies
3
Views
2,977
Security News
kailyn
kailyn

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top