A fresh modified version of Houdini Worm is out in the market
which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking
customers on its radar.
The authors who created the malware released it earlier this
June and the HWorm has things tremendously in common with the njRAT and njWorm.
(existed in 2013)
WSH RAT uses the legitimate applications that are used to
execute scripts on the Windows one of which is Legitimate Windows Script Host.
The malware is being distributed via phishing email
campaigns per usual.
The malicious attachment is stuck with the MHT file which is
used by the threat operators the very way they use HTML files.
The MTH files contain an “href” link which guides the user
to download the malicious .zip archive which releases the original version of
WSH RAT.
Researchers report that when WSH RAT’s executed on an
endpoint it behaves like an HWorm to the very use of mangled Base64 encoded
data.
The WSH RAT uses the very same configuration structure for
the above process as HWorm.
It also seeds an exact copy of the HWorm’s configuration
including the default variable and WSH RAT command and control server URL structure
in similar to that of HWorm.
Firstly WSH Rat communicates with C2 server and then calls
out the new URL that releases the three payloads with the .tar.gz extension.
But, it’s actually PE32 executable files and the three
payloads act as follows:
· A Key
logger
· A mail
credential viewer
· A
browser credential viewer
These components are extracted from a third party and do not
originate from the WSH RAT itself.
The underground price of the WSH RAT was around $50 USD a
month with a plethora of features including many automatic startup tactics and
remote access, evasion and stealing capabilities.
It’s becoming evident by the hour that by way of simple
investment in cheap commands really threatening malware services could be
developed and could put any company under jeopardy.