Thursday, June 13, 2024

Hackers Delivering WSH Remote Access Tool (RAT) via Phishing Campaign to Attack Banking Customers

Researchers discovered a new wave of a phishing campaign that delivering a new variant of Houdini Worm named as WSH Remote access tool to attack commercial banking customers.

Malware authors initially released this tool on June 2, 2019, and the HWorm shares extreme similarities with njRAT and njWorm, which existed since 2013.

Legitimate Windows Script Host, an application used to execute scripts on Windows machines that are being used for WSH RAT.

Attacker distributed the malware via phishing email campaign with the malicious attachment contained an MHT file that is used by threat operators in the same way as HTML files.

MTH File contained a href link which direct user to download the malicious .zip archive that drops the original version of WSH RAT.

According to cofense researchers,” When executed on an endpoint, WSH RAT behaves in the same way as Hworm, down to its use of mangled Base64 encoded data. WSH RAT uses the same configuration structure that Hworm uses for this process.”

Also, WSH RAT spawns an exact copy of the Hworm’s configuration, including the default variable, and the WSH RAT command and control server URL structure is identical to the Hworm.

The C2 callout made by WSH RAT

Callout the Payloads

After the initial communication to the C2 server, WSH RAT calling out the new URL that drops the three payloads with .tar.gz extension but is actually PE32 executable files and the three payloads are acting as follows.

  • A keylogger
  • A mail credential viewer
  • A browser credential viewer

These modules are derived from a third party and not original work from the WSH RAT operator.

Cybercriminals sold the WSH RAT for $50 USD a month in the underground market place with so many features including, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.

“This threat exhibits the ease with which new malware can be developed, purchased, and weaponized. With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time.” Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.


Latest articles

Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which...

CISA Warns of Scammers Impersonating as CISA Employees

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a surge...

Microsoft Windows Ntqueryinformationtoken Flaw Let Attackers Escalate Privileges

Microsoft has disclosed a critical vulnerability identified as CVE-2024-30088.With a CVSS score of 8.8, this flaw affects Microsoft...

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote...

Indian National Jailed For Hacked Servers Of Company That Fired Him

An Indian national was sentenced to two years and eight months in jail for...

JetBrains Warns of GitHub Plugin that Exposes Access Tokens

A critical vulnerability (CVE-2024-37051) in the JetBrains GitHub plugin for IntelliJ-based IDEs (2023.1 and...

Critical Flaw In Apple Ecosystems Let Attackers Gain Unauthorized Access

Hackers go for Apple due to its massive user base along with rich customers,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles