Tuesday, November 12, 2024
HomeComputer SecurityHackers Delivering WSH Remote Access Tool (RAT) via Phishing Campaign to Attack...

Hackers Delivering WSH Remote Access Tool (RAT) via Phishing Campaign to Attack Banking Customers

Published on

Malware protection

Researchers discovered a new wave of a phishing campaign that delivering a new variant of Houdini Worm named as WSH Remote access tool to attack commercial banking customers.

Malware authors initially released this tool on June 2, 2019, and the HWorm shares extreme similarities with njRAT and njWorm, which existed since 2013.

Legitimate Windows Script Host, an application used to execute scripts on Windows machines that are being used for WSH RAT.

- Advertisement - SIEM as a Service

Attacker distributed the malware via phishing email campaign with the malicious attachment contained an MHT file that is used by threat operators in the same way as HTML files.

MTH File contained a href link which direct user to download the malicious .zip archive that drops the original version of WSH RAT.

According to cofense researchers,” When executed on an endpoint, WSH RAT behaves in the same way as Hworm, down to its use of mangled Base64 encoded data. WSH RAT uses the same configuration structure that Hworm uses for this process.”

Also, WSH RAT spawns an exact copy of the Hworm’s configuration, including the default variable, and the WSH RAT command and control server URL structure is identical to the Hworm.

The C2 callout made by WSH RAT

Callout the Payloads

After the initial communication to the C2 server, WSH RAT calling out the new URL that drops the three payloads with .tar.gz extension but is actually PE32 executable files and the three payloads are acting as follows.

  • A keylogger
  • A mail credential viewer
  • A browser credential viewer

These modules are derived from a third party and not original work from the WSH RAT operator.

Cybercriminals sold the WSH RAT for $50 USD a month in the underground market place with so many features including, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.

“This threat exhibits the ease with which new malware can be developed, purchased, and weaponized. With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time.” Researchers said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...