A threat actor from Germany appears to be behind the propagation of the Houdini malware on Pastebin sites—as well as actively editing an open source ransomware variant called MoWare H.F.D.

According to Recorded Future analyst Daniel Hatheway, there have been three distinct spike in malicious Visual Basic scripts (VBScript) posted on paste sites, the majority of which are the Houdini worm. Houdini first appeared in 2013 and was updated in 2016; the new spikes occurred last August and October, and in March of this year.

“The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers,” Hatheway said in an analysis. “The VBScript communicates to the C2 server defined within the script. It then copies itself into a directory and establishes persistence by creating a registry key in one of the startup locations.”

YOU WILL ALSO ENJOY: Which locks your phone best: Pins, Patterns or Passwords? (VIDEO)

In all, Recorded Future uncovered 213 malicious posts to Pastebin sites, encompassed in 105 subdomains under one domain, with 190 hashes. The domains and subdomains are from a dynamic DNS provider, but since all of the Houdini VBScript are published on guest accounts, attribution was difficult.

Source: Info Security

Read entire post grey  Related Training grey

Leave your comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s