Recorded Future security researchers recently discovered that the Houdini worm has been posted hundreds of times on paste sites over the past several months.
Also known as H-Worm, Houdini has been around since 2013, and was said in 2014 to have been created by Naser Al Mutairi from Kuwait. Later that year, the malware was reportedly used in APT campaigns in the Asia-Pacific region, while last year it was associated with the Moonlight espionage campaign targeting the Middle East.
Earlier this year, after noticing an increase in malicious Visual Basic scripts (VBscript) posted on paste sites, Recorded Future had a closer look into the matter and discovered that most of the scripts were Houdini. Moreover, a single actor was found to be partially responsible for the identified malicious VBscripts posted on said sites.
“The individual(s) reusing this Houdini VBscript are continually updating with new command and control servers,” Recorded Future’s Daniel Hatheway explains in a blog post.
Analysis of the script variants revealed not only that they could connect to the defined command and control (C&C) server, but also that, after establishing connection, the malware would copy itself to a directory and then create a registry key in a startup location to achieve persistence.
Overall, the security researchers discovered a total of 213 posts to paste sites as of April 26. These included 105 unique subdomains, 1 domain, and 190 hashes. Thus, they concluded that some of the posts were exact matches, while others used the same domain but contained other changes within the VBscript.
Further analysis revealed that the domains and subdomains used are from a dynamic DNS provider, and that some of the active malware samples would communicate to at least one of the paste sites, in addition to the host defined in one of the VBscript.
The subdomains registered at a dynamic DNS provider didn’t prove helpful in terms of registration data, but one domain, microsofit[.]net, helped the researchers determine that the individual registering the domain used the name “Mohammed Raad.” The actor also used the email “vicsworsbaghdad@gmail.com” and set Germany as their country.
While the Houdini posts on paste sites were published from guest accounts and couldn’t be tied to a single person, the subdomains associated with the VBscripts appeared to be a play on the name “Mohammed Raad,” thus linking the malware to the microsofit[.]net domain.
“A Google search on “Mohammed Raad” revealed a Facebook profile of an individual who claims to be part of “Anonymous,” from Germany, and uses “Vicswors Baghdad” as an alias. This profile is identical to the registration information from microsofit[.]net,” Hatheway notes.
What’s more, the Facebook profile was found to display a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. Thus, the researcher concluded that the same actor might be studying, testing, and possibly configuring the ransomware.
A closer look at the screenshot posted on the “vicsworsbaghdad” Facebook profile revealed that the ransomware is available by commenting on the creator’s YouTube video. Next, the security researcher discovered that an account “Vicswors Baghdad” commented asking for information about the download.
The account, Hatheway says, uses the same email “vicsworsbaghdad@gmail.com” as the registration of microsofit[.]net. Moreover, the researcher discovered a profile for “Vicswors Baghdad” on 0day[.]today, but no activity was associated with it.