A threat actor from Germany appears to be behind the propagation of the Houdini malware on Pastebin sites—as well as actively editing an open source ransomware variant called MoWare H.F.D.
According to Recorded Future analyst Daniel Hatheway, there have been three distinct spike in malicious Visual Basic scripts (VBScript) posted on paste sites, the majority of which are the Houdini worm. Houdini first appeared in 2013 and was updated in 2016; the new spikes occurred last August and October, and in March of this year.
“The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers,” Hatheway said in an analysis. “The VBScript communicates to the C2 server defined within the script. It then copies itself into a directory and establishes persistence by creating a registry key in one of the startup locations.”
YOU WILL ALSO ENJOY: Which locks your phone best: Pins, Patterns or Passwords? (VIDEO)
In all, Recorded Future uncovered 213 malicious posts to Pastebin sites, encompassed in 105 subdomains under one domain, with 190 hashes. The domains and subdomains are from a dynamic DNS provider, but since all of the Houdini VBScript are published on guest accounts, attribution was difficult.
Source: Info Security
