Security researchers at Cofense have spotted a phishing campaign aimed at commercial banking customers distributing a new remote access trojan (RAT) tracked as WSH RAT.

Security experts at Cofense Phishing Defence Center have spotted a phishing campaign aimed at commercial banking customers that is distributing a new remote access trojan tracked as WSH RAT.

The name WSH likely refers to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.

Threat actors are using the RAT to deliver keyloggers and information stealers.

“The Cofense Phishing Defense Center™ (PDC) and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files.” reads the analysis published by Cofence. “This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. “

WSH Remote Access Tool (RAT) is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) that first appeared in the threat landscape in 2013 and was updated in 2016.

WSH Remote Access Tool (RAT) differs from Houdini because it is in JavaScript and uses a different User-Agent string and delimiter character when communicating with its command-and-control (C2) server.

The phishing messages contain an MHT file that includes a href link which once opened, will direct victims to a .zip archive containing a version of WSH RAT.

The RAT allows attackers to steal sensitive data, including passwords from victims’ browsers and email clients, it also implements keylogging capabilities. The experts pointed out that the RAT allows to remotely control the victim’s systems, it is also able to kill anti-malware solutions and disable the Windows UAC. The authors of the malware are offering for rent the WSH RAT, buyers can pay a subscription fee of $50 per month to use all features they have implemented.

“WSH RAT is being sold for $50 USD a month and has an active marketing campaign.” continues the post. “The threat operators tout the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.”

Once the RAT reached the C2 server, WSH RAT will download and drop three additional files having .tar.gz extension but that are actually PE32 executable files.

The three downloaded payloads are a keylogger, a mail credential viewer, a browser credential viewer. The three components are from third parties and were not developed by the WSH RAT operator.

The three malicious tools are a keylogger, a mail credential viewer, and a browser credential viewer developed by third parties and used by the campaign operators to collect credentials and other sensitive information.

“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks.” continues the post.

Experts published a list of indicators of compromise (IOCs).