Researchers at Cofense Phishing Defence Center have detected a new phishing campaign aimed at commercial banking customers delivering a new variant of the Houdini worm tracked as WSH remote access trojan (RAT).
Houdini Worm (HWorm) has existed since at least 2013 and shares similarities with njRAT and njWorm malware. WSH RAT is basically identical to H-Worm and its name is likely a reference to the legitimate Windows Script Host (an application used to execute scripts on Windows machines).
“This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing,” wrote the researchers.
The phishing email contains an MHT file that includes a href link, which once opened, will direct victims to a .zip archive containing a version of WSH RAT.
Once connected to its command and control server the RAT will download and install three additional executables with the .tar.gz extension but that are actually PE32 executable files. The three downloaded payloads are a keylogger, a mail credential viewer, and a browser credential viewer. All these modules were created by the third parties and were not developed by WSH RAT operator.
According to the researchers, WSH RAT is being actively promoted on the dark web forums. Currently the malware authors are selling the RAT under a subscription-based model, with all features being unlocked for customers willing to pay $50 per month.
WSH RAT can steal passwords from victims' web browsers and email clients, control targets' computers remotely, upload/download/execute files, and execute remote scripts and commands. The malware is also able to function as a keylogger, to kill anti-malware solutions and disable the Windows UAC.
“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks,” said the researchers.
Indicators of compromise (IOC):
URL |
hxxp://elcisneblanco[.]com/tmp/banking/details/bank[.]php |
hxxp://futuroformacion[.]es/moodle/calendar/amd/BANK DETAILS CONFIRMATION_PDF[.]zip |
hxxp://doughnut-snack[.]live/klplu[.]tar[.]gz |
hxxp://doughnut-snack[.]live/bpvpl[.]tar[.]gz |
hxxp://doughnut-snack[.]live/mapv[.]tar[.]gz |
hxxp://www.tcoolsoul[.]com:1765/is-ready |
hxxp://brothersjoy[.]nl |
hxxp://savelifes[.]tech |
IP |
192[.]185[.]26[.]103 |
192[.]185[.]163[.]240 |
23[.]105[.]131[.]191 |
23[.]105[.]131[.]225 |
185[.]247[.]228[.]49 |
MD5 |
986ffeb04fa5e01dd03b38bdd379ab51 |
266788057a7100afb9f123531b07282d |
5a2b62b657782f37eb0f7c27064cffa9 |
977e42c09f7f98cfdcbf28ab2c460190 |
7099a939fa30d939ccceb2f0597b19ed |
3a6b304e0a3dc91cac8892446826ffcc |
c4c6fe64765bc68c0d6fcaf2765b5319 |
hxxp://elcisneblanco[.]com/tmp/banking/details/bank[.]php |
hxxp://futuroformacion[.]es/moodle/calendar/amd/BANK DETAILS CONFIRMATION_PDF[.]zip |
hxxp://doughnut-snack[.]live/klplu[.]tar[.]gz |
hxxp://doughnut-snack[.]live/bpvpl[.]tar[.]gz |
hxxp://doughnut-snack[.]live/mapv[.]tar[.]gz |
hxxp://www.tcoolsoul[.]com:1765/is-ready |
hxxp://brothersjoy[.]nl |
hxxp://savelifes[.]tech |
A more detailed write-up can be found here.