New Houdini Worm Variant Targeting Banking Organizations Using MHT Files

padlock attached to hose on motherboard

A new variant of the Houdini worm is targeting commercial banking organizations using attack campaigns that employ .mht files, among other attachments.

On 7 June, Cofense came across a phishing email masquerading as official correspondence from HSBC Bank. The email instructed recipients to confirm their business details so that HSBC Bank could proceed with remittance as instructed by one of its customers. To complete this step, the message directed recipients to open an attached .zip archive entitled, “BANK DETAILS CONFIRMATION_PDF.zip.”

Once opened, the .zip archive revealed an .mht file, a MHTML Web Archive file which can incorporate applets, Flash animations and other external resources into HTML files. The .mht file included in the phishing campaign an href link. When clicked, it directed victims to a .zip archive containing a version of WSH RAT.

Cofense found in its analysis that “WSH” likely refers to Windows Script Host, an application useful for executing scrips on Windows machines. That’s not the only thing that the security firm observed in its evaluation, however. As Cofense researchers Nick Guarino and Aaron Riley note in their research:

When executed on an endpoint, WSH RAT behaves in the same way as Hworm, down to its use of mangled Base64 encoded data. WSH RAT uses the same configuration structure that Hworm uses for this process…. It is interesting to note that the WSH RAT configuration is an exact copy of the Hworm’s configuration, even as far as not changing the name of the default variables.

A Primer on Hworm

Hworm is a Visual Basic Script-based remote access trojan (RAT) that was originally the creation of an individual who went by the name “Houdini.” In 2013, FireEye observed threat actors incorporating targeting the “Houdini worm” into targeted attacks against the international energy industry. They also saw malefactors using run-of-the-mill attacks leveraging spam email attachments and malicious links to distribute the malware.

Several years later, Palo Alto Networks’ Unit 42 threat research team observed multiple attacks distributing a new version of Houdini that arrived in the form of SFX files. It wasn’t long thereafter that Recorded Future noticed an increasing number of malicious VBScripts posted to paste sites, with the vast majority of them appearing to be Houdini. Later in 2017, Menlo Security tracked a strain of the threat that made 800 call-backs to two separate C&C domains.

Back to WSH RAT

After establishing initial communication with its command-and-control (C&C) server, WSH RAT called out to a URL for three separate payloads: a keylogger, a mail credential viewer and a browser credential viewer. Each of these files employed the .tar.gz extension. But every one of them was actually a PE32 executable file.

As of this writing, digital threat actors are selling access to WSH RAT on underground marketplaces for $50 USD a month. Malicious individuals justify this cost based on their creation’s many features, which include WinXP-Win10 compatibility along with various data-stealing functions. In fact, they’re highlighting these and other elements in an active marketing campaign which they created for the malware.

Defending Against Email-Borne Threats

The campaign detected by Cofense reveals that many digital attackers are invested in updating their threats and creating new ones to prey upon unsuspecting users. In response, organizations need to defend themselves against email-borne threats. Solutions like ZixProtect provide a sophisticated, multi-layer approach that combine machine learning, automated traffic analysis and real-time threat analysts. This helps prevent malicious threats like Houdini worm from entering mailboxes, while keeping legitimate email flowing.

Strengthen your defenses against Houdini worm and other email-borne threats.