The dangerous Houdini worm has been transformed into a new variant dubbed WSH Remote Access Tool (RAT). More specifically, the new malware is an iteration of the VBS-based Houdini also known as H-Worm, which first appeared back in 2013.
The WSH RAT is currently targeting commercial banking customers via malicious phishing campaigns containing URLs, .zip or .mht files.
According to a report by Cofense researchers, the RAT was released on June 2, and it has been actively distributed in the wild.
WSH Remote Access Tool: Capabilities
Shortly said, the malware can be used in data-stealing attacks that aim to harvest passwords from web browsers and email clients. Other capabilities include remote control over compromised machines, uploading, downloading and executing of files, and executing various scripts and commands.
The WSH RAT also has built-in keylogging capabilities and can disable anti-malware protection and the Windows UAC. These activities can be performed simultaneously on all compromised hosts via issuing batch commands. The current price of the RAT is $50 for a monthly subscription.
In terms of execution, WSH RAT behaves in the same way as Hworm, “down to its use of mangled Base64 encoded data“, and it’s even utilizing the same configuration structure that Hworm uses for this process.
In addition, the RAT’s configuration is an exact copy of the Hworm’s configuration. Even the default names of the default variables haven’t been altered.
In the campaigns that were analyzed by Cofense, the downloaded files had the .tar.gz extension but were in fact PE32 executable files. The three downloaded executables included a keylogger, a mail credential viewer, and a browser credential viewer. It’s noteworthy that these three modules are taken from third parties and are not created by the WSH RAT’s operators.
The latest Houdini iteration shows how easy it is to purchase malware and use it in actual attacks. “With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time,” the researchers concluded.