A new variant of the Houdini malware has been detected in campaigns against financial institutions and their customers.
Dubbed WSH Remote Access Tool (RAT), it took the variant only five days to start seeking out victims via phishing campaigns, with the overall goal being the theft of online banking credentials which can be used to make fraudulent purchases.
The phishing campaign masquerades as legitimate communication from banks including HSBC. The fraudulent emails contain .MHT web archive files which act in the same way as .HTML files.
If a victim opens the attachment, the file, which contains a web address link, directs them towards a .zip archive containing the WSH RAT payload.
The payload first communicates with its command-and-control (C2) server, controlled by the attacker, to request three additional .tar.gz files. These files, however, are actually PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.
Cofense says that each module has been developed by third parties and are not the original work of the WSH RAT creator.
The malware strain is actively being sold in underground forums on a $50 per month subscription basis. The sellers are attempting to gain customers by waxing eloquent about WSH RAT’s WinXP — Win10 compatibility, evasion techniques, credential-stealing capabilities, and more.
HWorm has previously been spotted in attacks against the energy sector. According to FireEye, it is likely the developer of the malware is based in Algeria and has ties to another malware developer, responsible for the njw0rm and njRAT/LV strains, due to similarities spotted within their code bases.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0