Stealthy new JavaScript malware infects Windows PCs with RATs

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,572
Content source
https://www.bleepingcomputer.com/news/security/stealthy-new-javascript-malware-infects-windows-pcs-with-rats/
A new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.

The novel loader was quick to establish distribution partnerships with at least eight malware families, all designed to steal information and give actors control over the target devices.

In 94% of the cases analyzed by the HP Threat Research team, RATDispenser does not communicate with an actor-controlled server and is solely used as a first-stage malware dropper.

Going against the trend of using Microsoft Office documents to drop payloads, this loader uses JavaScript attachments, which HP found to have low detection rates.

The infection begins with a phishing email containing a malicious JavaScript attachment named with a '.TXT.js' double-extension. As Windows hides extensions by default, if a recipient saves the file to their computer, it will appear as a harmless text file.

This text file is heavily obfuscated to bypass detection by security software and will be decoded when the file is double-clicked and launched.

Once launched, the loader will write a VBScript file to the %TEMP% folder, which is then executed to download the malware (RAT) payload.
Click to expand...
www.bleepingcomputer.com

Stealthy new JavaScript malware infects Windows PCs with RATs

A new stealthy JavaScript malware loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.
www.bleepingcomputer.com www.bleepingcomputer.com
www.bleepingcomputer.com

Hiding Windows File Extensions is a Security Risk, Enable Now

Microsoft hides file extensions in Windows by default even though it's a security risk that is commonly abused by phishing emails and malware distributors to trick people into opening malicious files.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
Reactions: Dave Russo, oldschool, wat0114 and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
People often confuse JScript with JavaScript because both have (almost) the same functions and syntax. The difference is that JScript is often executed by Windows Script Host and JavaScript is usually run by the web browser (can be also run via some LOLBins). So the script runs in different environments. If the attacker wants to infect a system then the JScript attachment is more convenient because the code is executed outside the web browser (no sandbox restrictions).

A similar misunderstanding is often with VBA macros and JavaScript. VBScript. One can use a JScript (JavaScript) VBScript code as a macro code, and this will work. But in this case, the code will be run by the MS Office interpreter.
One can also use VBScript as a macro code to run the JScript file (.js). The macro will be run via MS Office interpreter and the .js script will be run via Windows Script Host. Also, mshta.exe can be invoked from the macro to run VBscript or JavaScript code embedded in the .hta file, etc.

Edit.
I corrected my stupid misspelling (I wrote JScript instead of VBScript):(
VBA is a real extension of VBScript, so the VBA code will not always run on a VBScript interpreter.
 
Last edited:
  • Like
  • Thanks
  • +Reputation
Reactions: Dave Russo, oldschool, wat0114 and 6 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,572
Andy Ful said:
People often confuse JScript with JavaScript because both have the same functions and syntax. The difference is that JScript is often executed by Windows Script Host and JavaScript is usually run by the web browser (can be also run via some LOLBins). So the script runs in different environments. If the attacker wants to infect a system then the JScript attachment is more convenient because the code is executed outside the web browser (no sandbox restrictions).

A similar misunderstanding is often with VBA macros and JavaScript. One can use a JScript (JavaScript) code as a macro code, and this will work. But in this case, the code will be run by the MS Office interpreter.
Click to expand...
Even HP and Bleeping Computer make that mistake, see the titles of those stories.
 
  • Like
Reactions: Dave Russo, oldschool, wat0114 and 6 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
565
  • Like
Reactions: Dave Russo, struppigel, Gandalf_The_Grey and 2 others
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
    • +Reputation
    • Applause
Deep Instinct uncovers new JavaScript-based malware dropper
Replies
0
Views
1,070
News Archive
[correlate]
[correlate]
[correlate]
    • Like
    • +Reputation
Microsoft Teams phishing attack pushes DarkGate malware
Replies
0
Views
1,497
News Archive
[correlate]
[correlate]
silversurfer
    • Like
    • +Reputation
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
Replies
0
Views
878
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top