According to security research by Cofense, the new variant of Houdini worm is named as WSH Remote Access Tool, it was released on 2, June, 2019.
WSH is a Windows Script Host, which is an application used to execute scripts on Windows machines.
The malware targets commercial banking customers through fake campaigns with extension like .zip or .mht files and URLs.
What is Houdini Worm (H-Worm) ?
H-Worm was founded in 2013.
H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. Now the cyber criminals reverse engineering the code and convert it into WSH RAT.
Cyber attackers send tricky mail to Bank customers including HSBC. That email contains .MHT web archive files, which act as same way like .HTML files.
Once the victim opens the attachment, the attachment convert towards a ZIP archive file containing WSH RAT payload.
How this new malware variant Works?
Once the Malware executed, it first communicates with its C2 Server (command and control) to call request three additional .tar.gz files, which is controlled by cyber criminal. These files are PE32 executables.
The three downloaded executable were:
- A keylogger
- A mail credential viewer
- A browser credential viewer
All three of these modules are from third parties and are not original work from the WSH RAT operator.
Cofense said, the malware being sold for $50 in Dark Web Market. with display Malware features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.
This re-version of H-worm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks.
Previously, it has been in targeted attacks against the international energy industry, according to FireEye. The developer of H-worm is based in Algeria.