“It’s particularly concerning to see RATDispenser only being detected by about 11% of antivirus systems, resulting in this stealthy malware successfully deploying on victims’ endpoints in most cases,” noted Patrick Schlapfer, Malware Analyst at HP.
Schlapfer adds that RATs and keyloggers assist attackers gain backdoor access to infected computers. The actors then usually use the access to help siphon credentials for user accounts, and increasingly cryptocurrency wallets, and in some cases might even hawk the access on to ransomware operators.
Further research revealed that there were at least three different RATDispenser variants over the last three months for a total of 155 samples. While a majority of these samples were droppers, ten were downloaders that communicated over the network to fetch a secondary stage of malware.
“The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of the malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model,” believe the researchers.