Researchers discovered a new wave of a phishing campaign that delivering a new variant of Houdini Worm named as WSH Remote access tool to attack commercial banking customers.
Attacker distributed the malware via phishing email campaign with the malicious attachment contained an MHT file that is used by threat operators in the same way as HTML files.
MTH File contained a href link which direct user to download the malicious .zip archive that drops the original version of WSH RAT.
According to cofense researchers,” When executed on an endpoint, WSH RAT behaves in the same way as Hworm, down to its use of mangled Base64 encoded data. WSH RAT uses the same configuration structure that Hworm uses for this process.”
Also, WSH RAT spawns an exact copy of the Hworm’s configuration, including the default variable, and the WSH RAT command and control server URL structure is identical to the Hworm.
Callout the Payloads
After the initial communication to the C2 server, WSH RAT calling out the new URL that drops the three payloads with .tar.gz extension but is actually PE32 executable files and the three payloads are acting as follows.
- A keylogger
- A mail credential viewer
- A browser credential viewer
These modules are derived from a third party and not original work from the WSH RAT operator.
Cybercriminals sold the WSH RAT for $50 USD a month in the underground market place with so many features including, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.
“This threat exhibits the ease with which new malware can be developed, purchased, and weaponized. With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time.” Researchers said.