The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal, HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.
HP researchers run a retrohunt over the last three months with this YARA rule and identified 155 RATDispenser samples, belonging to a three different variants. The experts also developed a wrote a Python script to recover the final payload and discovered that:
STRRAT and WSHRAT accounted for 81% of the samples analyzed by the researchers.
HP researchers published a set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.
(SecurityAffairs – hacking, RATDispenser)