Home > Cyber News > Phishing Attacks Are Spreading WSH RAT, Houdini’s New Version

Phishing Attacks Are Spreading WSH RAT, Houdini’s New Version

The dangerous Houdini worm has been transformed into a new variant dubbed WSH Remote Access Tool (RAT). More specifically, the new malware is an iteration of the VBS-based Houdini also known as H-Worm, which first appeared back in 2013.

The WSH RAT is currently targeting commercial banking customers via malicious phishing campaigns containing URLs, .zip or .mht files.

According to a report by Cofense researchers, the RAT was released on June 2, and it has been actively distributed in the wild.

The new Houdini’s variant comes ported to JavaScript from HWorm’s original codebase of Visual Basic, the report said. It appears that WSH may be a reference to the legitimate Windows Script Host, the application used to execute scripts on Windows systems.

WSH Remote Access Tool: Capabilities

Shortly said, the malware can be used in data-stealing attacks that aim to harvest passwords from web browsers and email clients. Other capabilities include remote control over compromised machines, uploading, downloading and executing of files, and executing various scripts and commands.

The WSH RAT also has built-in keylogging capabilities and can disable anti-malware protection and the Windows UAC. These activities can be performed simultaneously on all compromised hosts via issuing batch commands. The current price of the RAT is $50 for a monthly subscription.

Related: [wplinkpreview url=”https://sensorstechforum.com/phishing-emails-100-percent-click-rate/”]Some Phishing Emails Have a Nearly 100 Percent Click Rate

In terms of execution, WSH RAT behaves in the same way as Hworm, “down to its use of mangled Base64 encoded data“, and it’s even utilizing the same configuration structure that Hworm uses for this process.

In addition, the RAT’s configuration is an exact copy of the Hworm’s configuration. Even the default names of the default variables haven’t been altered.

In the campaigns that were analyzed by Cofense, the downloaded files had the .tar.gz extension but were in fact PE32 executable files. The three downloaded executables included a keylogger, a mail credential viewer, and a browser credential viewer. It’s noteworthy that these three modules are taken from third parties and are not created by the WSH RAT’s operators.

The latest Houdini iteration shows how easy it is to purchase malware and use it in actual attacks. “With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time,” the researchers concluded.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree