Researchers have spotted and tracked a new campaign aimed at tricking employees of US financial firms and banks into downloading Houdini Malware, a self-propagating malware strain.
In addition to its C2 (command-and-control) functionality, the Houdini remote access trojan (RAT) possesses the ability to move laterally, leveraging removable drives. This malware does not possess a native ransomware component. However, it is a RAT and has the ability to download and execute additional components from the C2. Those components could be ransomware or any other malware.
So it’s no surprise that cybercriminals are going where the money is – in this case, literally. Campaigns seeking to compromise business endpoints by using a combinations of tactics inbclude:
- Reputation Jacking – files are hosted on Google’s Cloud Storage (storage.googleapis.com). This use of well-known, popular hosting services helps to avoid detection
- Archived Files – files linked in these campaigns are zip or gz archive files, blurring the malicious payload
- Links over Attachments – links to Google’s Cloud Storage are less likely to be flagged as suspicious than an attachment
- Scripting – .vbs and .jar files are used as droppers
- Script Obfuscation – all of the scripts are obfuscated three levels via VBScript.
- Contextual filenames – because financial institutions are the target, the names like “remittance invoice” and “transfer invoice” are used
- Socially Engineered – traditional social engineering tactics, specific recipients, and requests appropriate for their role are used
The end goal of the attack is to install a remote access trojan (RAT) from the Houdini/jRAT malware family to take control of the endpoint, likely to gain access to internal financial applications.
As attackers use more and more sophisticated attacks like the one outline above, it’s important to focus on the one part of the equation that hasn’t changed – the attack requires a user. Without someone falling for the scam, this attack is powerless.
Think before you click!