Beware of the Houdini Trojan, or You Might Lose Control over Your Online Banking

For as little as $50 per month, wannabe cybercriminals can go on a popular hacking forum and rent what has been advertised as WSH Remote Access Tool (RAT). As we'll find out in a moment, at least some of them seem to be doing it. What they might not know, however, is that WSH RAT is actually the newest version of Houdini – an information-stealing malware that has been around for nearly six years.

Researchers from Cofense first spotted the WSH RAT ads on June 2, and less than five days later, they saw the malware in active spam campaigns. The Houdini connection was visible as soon as the experts peaked inside the code. The configuration, the default variables, and even the URL structure of the Command and Control (C&C) infrastructure were identical to the ones found in older versions of the Houdini malware.

The name Houdini comes from the online alias the malware's author used when the RAT was first analyzed by FireEye back in 2013. Believed to be from Algeria, the same hacker is likely responsible for the njworm and njRAT operations as well, and for the new incarnation of Houdini, he/she decided not to bother with too many changes. Cofense's experts did note that the codebase has been ported from Visual Basic to JavaScript, but they didn't report on any other new features. Apparently, Houdini's author followed the "If it's not broken, don't fix it" motto.

A well-thought-through spam campaign

Judging by Cofense's report, the criminals distributing Houdini's latest version have been busy. The screenshots show that the emails are well-formatted, there aren't any particularly obvious grammatical errors, and the body of the message provokes a sense of urgency that should trick the victim into triggering the infection chain.

The researchers have seen emails with clickable links and attachments that come in the form of ZIP or MHT files. An MHT file works like a normal HTML document and redirects the victim to an archive that contains the Houdini payload.

Houdini's first job after execution is to phone home and send some technical information on the compromised system. After that, it settles down and waits for commands. The RAT can, among other things, delete files and folders, kill processes, upload information to the C&C, alter startup entries, restart or shut down the PC, etc. When Cofense's researchers ran the sample they found, however, Houdini acted as a dropper.

Houdini downloads third-party modules

After the initial C&C communication, the newest version of Houdini contacted a different URL and downloaded three files with a .tar.gz extension. Cofense later learned that in reality, the three files were malicious Windows executables.

One of them was responsible for compromising login credentials from email clients, the second one was stealing passwords saved in the browser, and the third one came with standard keylogging capabilities. Cofense's experts seem confident that these additional payloads weren't developed by Houdini's original author, which suggests that the people paying the monthly subscription might be adding some of their own tricks to make the attacks more effective.

The emails impersonate banks with large customer bases which suggests that the crooks' ultimate goal is most likely to compromise victims' online banking accounts, and the fact that they have defeated some spam filters shows that the threat is very real. Treating every single message, especially the ones purportedly coming from your bank, with respect is very important.