A New Strain Of ‘Houdini’ Malware Is On Sale For $50 Per Month In The Black Market

ad1

When someone mentions Houdini, it is almost instantly recalled to the world’s greatest magician and escape artist. But, cybercriminals have found a way to transform the man’s legacy into something feared and unwanted. A new strain of the Houdini worm has been detected by security researchers and has launched a new series of campaigns against financial institutions and their customers.

A few days ago, a report from cybersecurity researchers from Cofense confirmed that a new strain of the Houdini malware – also known as Hworm – was released by its creators on June 2, 2019.

The new Houdini malware only took five days to start wreaking havoc and seek out victims via malicious phishing campaigns. According to the report, the main goal of the malware is to steal online banking credentials which the culprits could later use to make fraudulent online purchases. It uses a tool dubbed as WSH Remote Access Tool (RAT).

“Houdini Worm (HWorm) – a misleading name because it has more in common with a bot or RAT than a worm – has existed since at least 2013 and shares extreme similarities with what is undoubtedly its malignant siblings: njRAT and njWorm. This new iteration comes ported to JavaScript (JS) from HWorm’s original codebase of Visual Basic. WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines,” wrote the researchers in a blog post.

How does it work?

The cybercriminals masqueraded the phishing campaign as legitimate emails from various financial institutions and banks. One particular bank used by hackers is HSBC. The fraudulent emails contain .MHT web archive files which act the same way as HTML files.

The phishing email delivering WSH RAT within an attachment . Photo: Cofense

“The email attachment contained an MHT file that is used by threat operators in the same way as HTML files. In this case, the MHT file contained an href link which when opened, directed victims to a .zip archive containing a version of WSH RAT,” they added.

When the MHT file, which contains a web address link, was executed, it directs the victims towards a .zip archive containing the WSH RAT payload. WSH RAT uses the same configuration structure that Hworm uses for this process.

WSH RAT is a version of HWorm which has been ported to Javascript from HWorm’s original Visual Basic setup but acts in the same manner as the original malware. The Trojan not only uses the same Base64 encoded data — which Cofense describes as “mangled” — but also the same configuration strings, with default variables named and organized in the same way for both types of malicious code.

The Trojan first communicates with a command and control server, controlled by the cybercriminal, request three additional .tar.gz files. These files, however, are PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.

It is also noteworthy that these modules were developed by other third parties and cannot be attributed to the original creator of the Houdini worm. Furthermore, reports reveal that the malware is being actively sold in underground forums and the black market. The price point for the infection is said to be at $50 per month subscription basis. Sellers are marketing their product by waxing eloquent about WSH Rat’s Windows XP and Windows 10 compatibility, evasion techniques, credentials-stealing capabilities, among others.

New malware variants are sprouting

Only recently, researchers from Google has discovered a Linux-based strain of another prevalent malware, Winnti, which was attributed to the high-value attack against a Vietnamese gaming company a few years back by some Chinese hackers.

Researchers made the discovery from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems.

According to the Chronicle, the malware that they have discovered comes in two parts: a rootkit to disguise the malware in the infected host and the actual backdoor Trojan. Further analysis the discovered Linux variant of the Winnti malware bears a lot of similarities to the malware’s Windows version. Other connections with the Windows version also included the similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).

Leave a Reply

Your email address will not be published. Required fields are marked *