430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New phishing campaign targets bank customers with WSH RAT

Security researchers at Cofense have spotted a phishing campaign aimed at commercial banking customers distributing a new remote access trojan (RAT) tracked as WSH RAT. Security experts at Cofense Phishing Defence Center have spotted a phishing campaign aimed at commercial banking customers that is distributing a new remote access trojan tracked as WSH RAT. The […]

WSH RAT attack

Security researchers at Cofense have spotted a phishing campaign aimed at commercial banking customers distributing a new remote access trojan (RAT) tracked as WSH RAT.

Security experts at Cofense Phishing Defence Center have spotted a phishing campaign aimed at commercial banking customers that is distributing a new remote access trojan tracked as WSH RAT.

The name WSH likely refers to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.

Threat actors are using the RAT to deliver keyloggers and information stealers.

“The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files.” reads the analysis published by Cofence. “This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. “

WSH Remote Access Tool (RAT) is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) that first appeared in the threat landscape in 2013 and was updated in 2016.

WSH Remote Access Tool (RAT) differs from Houdini because it is in JavaScript and uses a different User-Agent string and delimiter character when communicating with its command-and-control (C2) server.

The phishing messages contain an MHT file that includes a href link which once opened, will direct victims to a .zip archive containing a version of WSH RAT.

WSH RAT attack

The RAT allows attackers to steal sensitive data, including passwords from victims’ browsers and email clients, it also implements keylogging capabilities. The experts pointed out that the RAT allows to remotely control the victim’s systems, it is also able to kill anti-malware solutions and disable the Windows UAC.

The authors of the malware are offering for rent the WSH RAT, buyers can pay a subscription fee of $50 per month to use all features they have implemented.

“WSH RAT is being sold for $50 USD a month and has an active marketing campaign.” continues the post. “The threat operators tout the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.”

Once the RAT reached the C2 server, WSH RAT will download and drop three additional files having .tar.gz extension but that are actually PE32 executable files

The three downloaded payloads are a keylogger, a mail credential viewer, a browser credential viewer. The three components are from third parties and were not developed by the WSH RAT operator.

The three malicious tools are a keylogger, a mail credential viewer, and a browser credential viewer developed by third parties and used by the campaign operators to collect credentials and other sensitive information.

“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks.” continues the post.

Experts published a list of indicators of compromise (IOCs).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WSH Remote Access Trojan, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]