A new variant of the Houdini malware has been detected in campaigns against financial institutions and their customers.
Last week, cybersecurity researchers from Cofense said in a blog post that the new strain of Houdini -- also known as HWorm -- was released by its author on June 2, 2019.
Dubbed WSH Remote Access Tool (RAT), it took the variant only five days to start seeking out victims via phishing campaigns, with the overall goal being the theft of online banking credentials which can be used to make fraudulent purchases.
The phishing campaign masquerades as legitimate communication from banks including HSBC. The fraudulent emails contain .MHT web archive files which act in the same way as .HTML files.
CNET: Black Hat cancels Rep. Will Hurd's headline speech after Twitter backlash
If a victim opens the attachment, the file, which contains a web address link, directs them towards a .zip archive containing the WSH RAT payload.
The payload first communicates with its command-and-control (C2) server, controlled by the attacker, to request three additional .tar.gz files. These files, however, are actually PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.
TechRepublic: Magecart attack: What it is, how it works, and how to prevent it
Cofense says that each module has been developed by third parties and are not the original work of the WSH RAT creator.
The malware strain is actively being sold in underground forums on a $50 per month subscription basis. The sellers are attempting to gain customers by waxing eloquent about WSH RAT's WinXP -- Win10 compatibility, evasion techniques, credential-stealing capabilities, and more.
See also: Have I Been Pwned: It's time to grow up and smell the acquisition potential
HWorm has previously been spotted in attacks against the energy sector. According to FireEye, it is likely the developer of the malware is based in Algeria and has ties to another malware developer, responsible for the njw0rm and njRAT/LV strains, due to similarities spotted within their code bases.
These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0