- Apr 24, 2016
The novel loader was quick to establish distribution partnerships with at least eight malware families, all designed to steal information and give actors control over the target devices.
In 94% of the cases analyzed by the HP Threat Research team, RATDispenser does not communicate with an actor-controlled server and is solely used as a first-stage malware dropper.
This text file is heavily obfuscated to bypass detection by security software and will be decoded when the file is double-clicked and launched.
Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware (RAT) payload.
Microsoft hides file extensions in Windows by default even though it's a security risk that is commonly abused by phishing emails and malware distributors to trick people into opening malicious files.