About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

Houdini Worm (HWorm) – a misleading name because it has more in common with a bot or RAT than a worm – has existed since at least 2013 and shares extreme similarities with what are undoubtedly its malignant siblings: njRAT and njWorm. This new iteration comes ported to JavaScript (JS) from HWorm’s original codebase of Visual Basic. WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.

Figure 1: The phishing email delivering WSH RAT within an attachment

The email attachment contained an MHT file that are used by threat operators in the same way as HTML files. In this case, the MHT file contained an href link which when opened, directed victims to a .zip archive containing a version of WSH RAT. Figure 2 shows the URL chain to the downloaded payload.

Figure 2: The chain of URLs that lead to the .zip archive download

When executed on an endpoint, WSH RAT behaves in the same way as Hworm, down to its use of mangled Base64 encoded data. WSH RAT uses the same configuration structure that Hworm uses for this process. Figure 3 shows the extracted configuration strings from the running memory of WSH RAT. It is interesting to note that the WSH RAT configuration is an exact copy of the Hworm’s configuration, even as far as not changing the name of the default variables.

Figure 3: The extracted configuration strings from the running memory of WSH RAT

The URL structure used by WSH Rat for its Command and Control (C2) communication is identical to that employed by Hworm, as shown in Figure 4.

Figure 4: The C2 callout made by WSH RAT

Also note the extreme similarity between the C2 communications shown in Figures 5 and 6. WSH RAT prepends the id “WSHRAT” to the User-Agent string and also changes the delimiter from “<|>” to “|”, otherwise they are functionally identical.

Figure 5: An example HTTP POST made by WSH RAT

Figure 6: An example HTTP POST made by Hworm

After the initial callout to the C2, this WSH RAT sample began calling out to another URL for three separate payloads. Figure 7 shows the URL payload requests for the .tar.gz files.

Figure 7: The network traffic showing the WSH RAT downloads

The downloaded files have the .tar.gz extension but are actually PE32 executable files. The three downloaded executables were:

  • A keylogger
  • A mail credential viewer
  • A browser credential viewer

All three of these modules are from third parties and are not original work from the WSH RAT operator. Figure 8 shows the programs running and the property information from the three executables downloaded by WSH RAT.

Figure 8: The programs and details of the three downloaded executables

Getting Past the Email Gateway

WSH RAT is being sold for $50 USD a month and has an active marketing campaign. The threat operators tout the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities as shown in Figure 9.

Figure 9: WSH RAT’s marketing campaign

This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks, shown in Figure 10, and make it to the endpoint.

Figure 10: Symantec Messaging Gateway checks made on the phishing email

Cofense™ Can Help

This threat exhibits the ease with which new malware can be developed, purchased, and weaponized. With a small investment in cheap command and control infrastructure and an easy-to-purchase malware-as-a-service, a threat actor with otherwise limited capabilities can knock on the door of a large financial company’s network in no time.

Luckily, the Cofense Phishing Defense Center was alerted to this phishing email and stifled it before any damage occurred. The customer uses Cofense PhishMeTM to help employees identify phish and Cofense ReporterTM to notify security teams. It’s a combination that works—against plug and play threats and a whole lot more.


hxxp://futuroformacion[.]es/moodle/calendar/amd/BANK DETAILS CONFIRMATION_PDF[.]zip






All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.