In this report we:
- Analyze the infection chain of RATDispenser and suggest detection opportunities for detecting and blocking the malware
- Describe how RATDispenser is obfuscated
- Discuss the malware families distributed by RATDispenser
- Share a YARA rule and a Python extraction script so that network defenders can detect and analyze this malware
Figure 1 – Email delivering RATDispenser as an attachment.
Figure 2 – Process execution graph showing chained command line argument.
Afterwards, the VBScript file runs, which in turn downloads the malware payload. If it was downloaded successfully, it is executed, and the VBScript file is deleted.
Figure 4 – Deobfuscation function using regular expression replacement.
To decode the string shown in Figure 3, three arguments (A, u, F) are passed to the function. The decoded string is Base64 encoded which can simply be decoded to analyze it in more detail. By creating and writing an ActiveX Data Stream Object this sequence is decoded and executed using an eval statement. The newly decoded second stage code looks as follows (Figure 5).
The most notable part of this sequence are the hex characters stored in a nested array, which is used as another layer of obfuscation. Using an ActiveX object, a shell application instance is created, passing a long, chained argument. By simply adding line breaks after the & characters, we can reformat the command line argument into a readable format.
Figure 6 – Command line arguments passed to cmd.exe.
The first parts of the command line argument are used to write lines to a VBScript file using an echo function. This file is then executed, resulting in a download through an XMLHTTP object. The response to the GET request – the malware payload – is written to a file called YVC.JAR. The VBScript file is then deleted. Afterwards, the cmd.exe process waits 12 seconds, before running the payload.
We have seen RATDispenser distribute eight malware families. In the example above, it delivered Formbook, a keylogger and information stealer. To analyze which malware families the loader is spreading, we wrote a signature to track sightings in the wild. Its obfuscation made this task more complicated than usual. The malware splits strings using the replace function, stores them in nested arrays, and interprets and executes commands using eval functions, so it is difficult to find consistent patterns in them. In addition, we wrote a YARA rule (Figure 7) to understand the dispersion of malware families.
Figure 7 – YARA rule to detect RATDispenser.
Running a retrohunt over the last three months with this YARA rule identified 155 RATDispenser samples. Within those samples we noticed three variants. One of the variants we described above. The two other variants are a PowerShell downloader and a dropper which stores the payload as a Base64-encoded string and therefore does not perform any network requests.
We also wrote a Python script that recovers the final payload and identifies the malware family and RATDispenser variant. Analyzing the 155 malware samples with our script found:
- 145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over the network to download a secondary stage of malware
- 8 families malware delivered as payloads
- All the payloads were remote access Trojans (RATs), keyloggers and information stealers
Figure 8 – Malware families distributed by RATDispenser.
By far the most frequently observed malware families were STRRAT and WSHRAT, accounting for 81% of the samples we analyzed. First seen in mid-2020, STRRAT is a Java RAT that has remote access, credential stealing and keylogging features. WSHRAT, also known as Houdini, is a VBS RAT first seen in 2013 that also has typical RAT capabilities. Slightly less common were AdWind, Formbook, Remcos and Panda Stealer.
The most interesting among them is Panda Stealer. First seen in April 2021, this is a new malware family that targets cryptocurrency wallets. The Panda Stealer sample we analyzed were all fileless variants that download additional payloads from a text storage site, paste.ee. The least common families were GuLoader and Ratty. GuLoader is a downloader known for downloading and running various RATs, while Ratty is an open-source RAT written in Java.
Figure 9 – Overview of RATDispenser variants and the malware families they delivered.
Indicators of Compromise
You can find the full set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.
00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -> Formbook
026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -> STRRAT
0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -> WSHRAT
094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -> AdWind
2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -> RemcosRAT
942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -> Panda Stealer
b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -> GuLoader