Cybercriminals have been observed using an evasive JavaScript loader called RATDispenser to spread eight different malware.

Diving into the details

HP Threat Research alleged that the actors behind RATDispenser are possibly operating as a Malware-as-a-Service (MaaS) model, delivering eight malware families.
  • The delivered malware families include STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.
  • All of the payloads were spotted as RATs, stealing information and allowing attackers to control the devices of victims.
  • In most of the attacks, RATDispenser was used to gain initial access before launching secondary malware to establish control over the device.
  • In 94% of analyzed samples, RATDispenser is being used as a dropper, indicating it doesn’t communicate over the network to spread a malicious payload.

The infection chain

The infection chain starts with a user receiving an email laden with a malicious attachment. For example, a JavaScript file (.js) disguised as a text file and containing information regarding an order.
  • If a user tries to open the file by double-clicking, the malware gets executed. Then, JavaScript decodes itself and writes a VBScript file in the %TEMP% folder with the use of cmd[.]exe at runtime. 
  • The cmd[.]exe process allows a long and chained argument. It then uses the echo function to write parts of this to a new file. Subsequently, the VBScript file runs and downloads the malware payload. 
  • If the malware payload is successfully downloaded, it is executed and the VBScript file is removed.


RATDispenser is believed to be offered as MaaS and has been observed delivering multiple types of malware. Hence, organizations are suggested to deploy reliable anti-malware and anti-phishing solutions, along with network firewalls. Moreover, always stay alert regarding suspicious emails.
Cyware Publisher