New WSH RAT Malware Targets Bank Customers with Keyloggers

Security researchers have discovered an ongoing phishing campaign distributing a new remote access trojan (RAT) and actively targeting commercial banking customers with keyloggers and information stealers.

The new malware, dubbed WSH Remote Access Tool (RAT) by its creator, is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) first created and spread in 2013.

Besides being ported to JavaScript and using a different User-Agent string and delimiter character when communicating with its command-and-control (C2) server, WSH RAT is basically identical to H-Worm.

WSH RAT comes packed with "features"

"WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines," according to Cofense's research team, the ones which discovered the new RAT.

Additionally, WAS RAT is heavily marketed by its development team seeing that, while only being released on June 2, it is already actively being distributed via a phishing campaign in the form of malicious URLs, as well as MHT and ZIP files.

The RAT allows its buyers to launch attacks capable of stealing passwords from their victims' web browsers and email clients, controlling their targets' computers remotely, uploading, downloading, and executing files, as well as executing remote scripts and commands.

It also features keylogging capabilities, makes it possible to kill anti-malware solutions and disable the Windows UAC, with batch issuing commands to all compromised victims also being an option.

Right now, its creators are selling it under a subscription-based model, with all features being unlocked for customers willing to pay $50 per month.

WSH RAT phishing campaign

As detailed in the beginning, the phishing attacks which distribute WSH RAT malicious email attachments — in URL, ZIP, or MHT format— are actively targeting customers of commercial banks by redirecting them to download ZIP archives containing the RAT payload.

Once the targets execute the malicious payload downloaded on their computers using configuration structure and C2 communication infrastructure identical to H-Worm's.

After reaching out to the C2 server, WSH RAT will download and drop three additional malicious payloads on the victims' compromised machines in the form of PE32 executable files camouflaged as .tar.gz archives, as part of the second stage.

The three malicious tools are a keylogger, a mail credential viewer, and a browser credential viewer developed by third parties and used by the campaign operators to collect credentials and other sensitive information.

As the Cofense researchers discovered, "This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment."

Also, "The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks" and successfully infected its targets.

A list of indicators of compromise (IOCs) containing URLs, IP addresses, and MD5 malware sample hashes is provided by Cofense at the end of their WSH RAT report.

Comments are closed.