All of the payloads were spotted as RATs, stealing information and allowing attackers to control the devices of victims.
In most of the attacks, RATDispenser was used to gain initial access before launching secondary malware to establish control over the device.
In 94% of analyzed samples, RATDispenser is being used as a dropper, indicating it doesn’t communicate over the network to spread a malicious payload.
The infection chain
The cmd[.]exe process allows a long and chained argument. It then uses the echo function to write parts of this to a new file. Subsequently, the VBScript file runs and downloads the malware payload.
If the malware payload is successfully downloaded, it is executed and the VBScript file is removed.
RATDispenser is believed to be offered as MaaS and has been observed delivering multiple types of malware. Hence, organizations are suggested to deploy reliable anti-malware and anti-phishing solutions, along with network firewalls. Moreover, always stay alert regarding suspicious emails.