18 June 2019

New variant of Houdini worm targets bank customers with keyloggers and infostealers

New variant of Houdini worm targets bank customers with keyloggers and infostealers

Researchers at Cofense Phishing Defence Center have detected a new phishing campaign aimed at commercial banking customers delivering a new variant of the Houdini worm tracked as WSH remote access trojan (RAT).

Houdini Worm (HWorm) has existed since at least 2013 and shares similarities with njRAT and njWorm malware. WSH RAT is basically identical to H-Worm and its name is likely a reference to the legitimate Windows Script Host (an application used to execute scripts on Windows machines).

“This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing,” wrote the researchers.

The phishing email contains an MHT file that includes a href link, which once opened, will direct victims to a .zip archive containing a version of WSH RAT.

Once connected to its command and control server the RAT will download and install three additional executables with the .tar.gz extension but that are actually PE32 executable files. The three downloaded payloads are a keylogger, a mail credential viewer, and a browser credential viewer. All these modules were created by the third parties and were not developed by WSH RAT operator.

According to the researchers, WSH RAT is being actively promoted on the dark web forums. Currently the malware authors are selling the RAT under a subscription-based model, with all features being unlocked for customers willing to pay $50 per month.

WSH RAT can steal passwords from victims' web browsers and email clients, control targets' computers remotely, upload/download/execute files, and execute remote scripts and commands. The malware is also able to function as a keylogger, to kill anti-malware solutions and disable the Windows UAC.

“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks,” said the researchers.

Indicators of compromise (IOC):

URL
hxxp://elcisneblanco[.]com/tmp/banking/details/bank[.]php
hxxp://futuroformacion[.]es/moodle/calendar/amd/BANK DETAILS CONFIRMATION_PDF[.]zip
hxxp://doughnut-snack[.]live/klplu[.]tar[.]gz
hxxp://doughnut-snack[.]live/bpvpl[.]tar[.]gz
hxxp://doughnut-snack[.]live/mapv[.]tar[.]gz
hxxp://www.tcoolsoul[.]com:1765/is-ready
hxxp://brothersjoy[.]nl
hxxp://savelifes[.]tech


IP
192[.]185[.]26[.]103
192[.]185[.]163[.]240
23[.]105[.]131[.]191
23[.]105[.]131[.]225
185[.]247[.]228[.]49

MD5
986ffeb04fa5e01dd03b38bdd379ab51
266788057a7100afb9f123531b07282d
5a2b62b657782f37eb0f7c27064cffa9
977e42c09f7f98cfdcbf28ab2c460190
7099a939fa30d939ccceb2f0597b19ed
3a6b304e0a3dc91cac8892446826ffcc
c4c6fe64765bc68c0d6fcaf2765b5319
hxxp://elcisneblanco[.]com/tmp/banking/details/bank[.]php
hxxp://futuroformacion[.]es/moodle/calendar/amd/BANK DETAILS CONFIRMATION_PDF[.]zip
hxxp://doughnut-snack[.]live/klplu[.]tar[.]gz
hxxp://doughnut-snack[.]live/bpvpl[.]tar[.]gz
hxxp://doughnut-snack[.]live/mapv[.]tar[.]gz
hxxp://www.tcoolsoul[.]com:1765/is-ready
hxxp://brothersjoy[.]nl
hxxp://savelifes[.]tech

A more detailed write-up can be found here.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019