Phishing Attacks Are Spreading WSH RAT, Houdini's New Version
CYBER NEWS

Phishing Attacks Are Spreading WSH RAT, Houdini’s New Version


The dangerous Houdini worm has been transformed into a new variant dubbed WSH Remote Access Tool (RAT). More specifically, the new malware is an iteration of the VBS-based Houdini also known as H-Worm, which first appeared back in 2013.

The WSH RAT is currently targeting commercial banking customers via malicious phishing campaigns containing URLs, .zip or .mht files.




According to a report by Cofense researchers, the RAT was released on June 2, and it has been actively distributed in the wild.

The new Houdini’s variant comes ported to JavaScript from HWorm’s original codebase of Visual Basic, the report said. It appears that WSH may be a reference to the legitimate Windows Script Host, the application used to execute scripts on Windows systems.

WSH Remote Access Tool: Capabilities

Shortly said, the malware can be used in data-stealing attacks that aim to harvest passwords from web browsers and email clients. Other capabilities include remote control over compromised machines, uploading, downloading and executing of files, and executing various scripts and commands.

The WSH RAT also has built-in keylogging capabilities and can disable anti-malware protection and the Windows UAC. These activities can be performed simultaneously on all compromised hosts via issuing batch commands. The current price of the RAT is $50 for a monthly subscription.

Related: Some Phishing Emails Have a Nearly 100 Percent Click Rate

In terms of execution, WSH RAT behaves in the same way as Hworm, “down to its use of mangled Base64 encoded data“, and it’s even utilizing the same configuration structure that Hworm uses for this process.

In addition, the RAT’s configuration is an exact copy of the Hworm’s configuration. Even the default names of the default variables haven’t been altered.

In the campaigns that were analyzed by Cofense, the downloaded files had the .tar.gz extension but were in fact PE32 executable files. The three downloaded executables included a keylogger, a mail credential viewer, and a browser credential viewer. It’s noteworthy that these three modules are taken from third parties and are not created by the WSH RAT’s operators.

The latest Houdini iteration shows how easy it is to purchase malware and use it in actual attacks. “With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time,” the researchers concluded.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...