This stealthy malware delivers a 'silent threat' that wants to steal your passwords

Cybersecurity researchers at HP Wolf Security warn about RATDispenser, a downloader that delivers trojan malware, information stealers and keyloggers.
Written by Danny Palmer, Senior Writer

Cyber criminals are using a new JavaScript downloader to distribute eight different kinds of remote access Trojan (RAT) malware and information-stealing malware in order to gain backdoor control of infected Windows systems, as well as steal usernames, passwords and other sensitive data. 

The downloader has been detailed by cybersecurity researchers at HP Wolf Security, who've called it RATDispenser.  

The initial entry point for attacks is a phishing email that claims to contain a text file about a product order. Clicking the malicious file will run the process for installing RATDispenser malware. In order to avoid detection, the initial JavaScript download is obfuscated with the aid of long strings of code to help hide the malicious intent.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Once installed, RATDispenser is used to distribute a range of different malware, including trojans, keyloggers and information stealers, all designed to steal sensitive data from the user. 

The most frequently distributed malware downloads are STRRAT and WSHRAT, which account for four in five of the analysed samples. But other forms of malware RATDispenser have been distributed, including invasive information stealers such as AdwindFormbookRemcosPanda Stealer, GuLoader and Ratty.

Some of these trojans, like Panda Stealer, are relatively new, having only been discovered this year, while others, such as WSHRAT, have been active for many years. 

At the time the research was published, RATDispender was only detected by one in 10 available anti-virus engines. 

"It's particularly concerning to see RATDispenser only being detected by about 11% of antivirus systems, resulting in this stealthy malware successfully deploying on victims' endpoints in most cases," said Patrick Schlapfer, malware analyst at HP.  

"RATs and keyloggers pose a silent threat, helping attackers to gain backdoor access to infected computers and steal credentials from business accounts or even cryptocurrency wallets. From here, cyber criminals can siphon off sensitive data, escalate their access, and in some cases sell this access on to ransomware groups," he added.  

In order to protect users from attacks by RATDispenser and the malware it drops, researchers recommend that network administrators audit which email attachment file types are allowed by their email gateway and blocking execuatables that aren't needed – such as JavaScript or VBScript.


Editorial standards