Houdini trojan hits banking customers with keylogger

News by Rene Millman

Security researchers have discovered a variant of the Houdini malware in campaigns against financial institutions and their customers.

According to a blog post by researchers at Cofense, the new strain ofmalware, named WSH Remote Access Tool (RAT) by its developer, is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) first created in 2013.

This new iteration comes ported to JavaScript (JS) from HWorm’s original codebase of Visual Basic. WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.

A phishing campaign designed to look like an email from HSBC but contain .MHT web archive files which act in the same way as .HTML files.

When opened, the file attachment features a URL that directs them to a .zip archive containing the WSH RAT payload.

"When executed on an endpoint, WSH RAT behaves in the same way as Hworm, down to its use of mangled Base64 encoded data. WSH RAT uses the same configuration structure that Hworm uses for this process," said researchers.

The malware communicates with a C2 server that the attacker controls and requests three additional .tar.gz files. The downloaded files have the .tar.gz extension but are actually PE32 executable files. The three downloaded executables are, a keylogger, a mail credential viewer, and a browser credential viewer.

Researchers said that each module has been developed by third parties and are not the original work of the WSH RAT creator.

They added that this new variant is being hawked around the dark web for US$ 50 (£40) per month on a subscription basis with the hackers touting the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.

"This threat exhibits the ease with which new malware can be developed, purchased, and weaponised. With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time," said researchers.

Naaman Hart, cloud services security architect at Digital Guardian, told SC Media UK that organisations can protect themselves by updating their various protections to include crowd sourced lists of IOCs (Indicators of Compromise) that ensure they can identify and block even the most recent of threats.

"At the very basic level you’re aiming for it to be impossible for your end users to reach malicious URLs, for them to be interacted with by suspicious email domains and for malicious software to be executed on their endpoint. Covering as many of these bases with as wide a net as possible ensures a smaller act surface and risk factor for your business," he said.

Boris Cipot, senior security engineer at Synopsys, told SC Media UK that employees need to be aware of the risks of phishing, therefore training has to be in place that teaches employees how to detect phishing attacks or at least what to keep an eye out for.

"Also, organisations need to be more careful what they allow as attachments in their network. Attachments and URL in mail would need to be blocked. There are far better ways to share files than via email - for example a company approved file sharing platform - then the URLs can also be controlled," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop