Houdini malware targets victims with keylogger, online bank account theft tools

The new Trojan variant is actively striking commercial banking customers.

By Charlie Osborne for Zero Day | June 17, 2019

SOURCE: https://www.zdnet.com/article/new-houdini-malware-targets-banks-with-keylogger-browser-credential-theft/

--Millennium Knight adds: THIS ATTACK COMES FROM PHISHING EMAILS THAT IMPERSONATE YOUR BANK. DO NOT OPEN EMAILS WITH ATTACHMENTS FROM YOUR BANK, JUST OPENING THE EMAIL CAN LAUNCH THE VIRUS ATTACK ON YOUR SYSTEM. If you have opened a suspicious email, be sure to scan your systems immediately for viruses. Contact your system support person to have them scan as well. Article continues below--


A new variant of the Houdini malware has been detected in campaigns against financial institutions and their customers.

Last week, cybersecurity researchers from Cofense said in a blog post that the new strain of Houdini -- also known as HWorm -- was released by its author on June 2, 2019.

Dubbed WSH Remote Access Tool (RAT), it took the variant only five days to start seeking out victims via phishing campaigns, with the overall goal being the theft of online banking credentials which can be used to make fraudulent purchases.

The phishing campaign masquerades as legitimate communication from banks including HSBC. The fraudulent emails contain .MHT web archive files which act in the same way as .HTML files.

If a victim opens the attachment, the file, which contains a web address link, directs them towards a .zip archive containing the WSH RAT payload.

WSH RAT is a version of HWorm which has been ported to Javascript from HWorm's original Visual Basic setup but acts in the same manner as the original malware. The Trojan not only uses the same Base64 encoded data -- which Cofense describes as "mangled" -- but also the same configuration strings, with default variables named and organized in the same way for both types of malicious code.

Monitoring and analyzing network bandwidth performance and traffic patterns can help you quickly detect and solve critical issues, such as bandwidth hogs or underperforming devices. SolarWinds® Network Bandwidth Analyzer Pack is designed to simplify...

The payload first communicates with its command-and-control (C2) server, controlled by the attacker, to request three additional .tar.gz files. These files, however, are actually PE32 executables which provide the Trojan with a Windows keylogger, a mail credential viewer, and a browser credential viewer module.

Cofense says that each module has been developed by third parties and are not the original work of the WSH RAT creator.

The malware strain is actively being sold in underground forums on a $50 per month subscription basis. The sellers are attempting to gain customers by waxing eloquent about WSH RAT's WinXP -- Win10 compatibility, evasion techniques, credential-stealing capabilities, and more.

HWorm has previously been spotted in attacks against the energy sector. According to FireEye, it is likely the developer of the malware is based in Algeria and has ties to another malware developer, responsible for the njw0rm and njRAT/LV strains, due to similarities spotted within their code bases.

Tom Dillon