Stealthy new JavaScript malware infects Windows PCs with RATs

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,050
A new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.

The novel loader was quick to establish distribution partnerships with at least eight malware families, all designed to steal information and give actors control over the target devices.

In 94% of the cases analyzed by the HP Threat Research team, RATDispenser does not communicate with an actor-controlled server and is solely used as a first-stage malware dropper.

Going against the trend of using Microsoft Office documents to drop payloads, this loader uses JavaScript attachments, which HP found to have low detection rates.

The infection begins with a phishing email containing a malicious JavaScript attachment named with a '.TXT.js' double-extension. As Windows hides extensions by default, if a recipient saves the file to their computer, it will appear as a harmless text file.

This text file is heavily obfuscated to bypass detection by security software and will be decoded when the file is double-clicked and launched.

Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware (RAT) payload.
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
People often confuse JScript with JavaScript because both have (almost) the same functions and syntax. The difference is that JScript is often executed by Windows Script Host and JavaScript is usually run by the web browser (can be also run via some LOLBins). So the script runs in different environments. If the attacker wants to infect a system then the JScript attachment is more convenient because the code is executed outside the web browser (no sandbox restrictions).

A similar misunderstanding is often with VBA macros and JavaScript. VBScript. One can use a JScript (JavaScript) VBScript code as a macro code, and this will work. But in this case, the code will be run by the MS Office interpreter.
One can also use VBScript as a macro code to run the JScript file (.js). The macro will be run via MS Office interpreter and the .js script will be run via Windows Script Host. Also, mshta.exe can be invoked from the macro to run VBscript or JavaScript code embedded in the .hta file, etc.

Edit.
I corrected my stupid misspelling (I wrote JScript instead of VBScript):(
VBA is a real extension of VBScript, so the VBA code will not always run on a VBScript interpreter.
 
Last edited:

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,050
People often confuse JScript with JavaScript because both have the same functions and syntax. The difference is that JScript is often executed by Windows Script Host and JavaScript is usually run by the web browser (can be also run via some LOLBins). So the script runs in different environments. If the attacker wants to infect a system then the JScript attachment is more convenient because the code is executed outside the web browser (no sandbox restrictions).

A similar misunderstanding is often with VBA macros and JavaScript. One can use a JScript (JavaScript) code as a macro code, and this will work. But in this case, the code will be run by the MS Office interpreter.
Even HP and Bleeping Computer make that mistake, see the titles of those stories.
 

wat0114

Level 7
Verified
Well-known
Apr 5, 2021
303