Houdini malware targets victims with keylogger, online bank account theft tools

The new Trojan variant is actively striking commercial banking customers.
Written by Charlie Osborne, Contributing Writer

A new variant of the Houdini malware has been detected in campaigns against financial institutions and their customers.

Last week, cybersecurity researchers from Cofense said in a blog post that the new strain of Houdini -- also known as HWorm -- was released by its author on June 2, 2019.

Dubbed WSH Remote Access Tool (RAT), it took the variant only five days to start seeking out victims via phishing campaigns, with the overall goal being the theft of online banking credentials which can be used to make fraudulent purchases.

The phishing campaign masquerades as legitimate communication from banks including HSBC. The fraudulent emails contain .MHT web archive files which act in the same way as .HTML files.

CNET: Black Hat cancels Rep. Will Hurd's headline speech after Twitter backlash

If a victim opens the attachment, the file, which contains a web address link, directs them towards a .zip archive containing the WSH RAT payload.

WSH RAT is a version of HWorm which has been ported to Javascript from HWorm's original Visual Basic setup but acts in the same manner as the original malware. The Trojan not only uses the same Base64 encoded data -- which Cofense describes as "mangled" -- but also the same configuration strings, with default variables named and organized in the same way for both types of malicious code.

The payload first communicates with its command-and-control (C2) server, controlled by the attacker, to request three additional .tar.gz files. These files, however, are actually PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.

TechRepublic: Magecart attack: What it is, how it works, and how to prevent it

Cofense says that each module has been developed by third parties and are not the original work of the WSH RAT creator.

The malware strain is actively being sold in underground forums on a $50 per month subscription basis. The sellers are attempting to gain customers by waxing eloquent about WSH RAT's WinXP -- Win10 compatibility, evasion techniques, credential-stealing capabilities, and more.

See also: Have I Been Pwned: It's time to grow up and smell the acquisition potential

HWorm has previously been spotted in attacks against the energy sector. According to FireEye, it is likely the developer of the malware is based in Algeria and has ties to another malware developer, responsible for the njw0rm and njRAT/LV strains, due to similarities spotted within their code bases. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards