Wshrat

WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.

Type
RAT
Origin
likely Algerian
First seen
24 September, 2013
Last seen
7 August, 2020
Also known as
Dunihi
Houdini
H-worm
Jenxcus
Kognito
Global rank
37
Week rank
22
Month rank
28
IOCs
771

What is WSHRAT malware?

WSHRAT is a Remote Access Trojan — a type of malware that attackers use to gain remote control of machines and steal information. This particular RAT has seen several revisions, and depending on the version it’s also known as Dunihi, Houdini, H-worm, Jenxcus, and Kognito.

This RAT was first used in attacks against energy sector companies all around the world. With time, the malware became widely available and attackers used in less coordinated attacks. The most recent version of WSHRAT changed target victims and now focuses on the banking sector.

The functionality of this RAT can vary by version, but they commonly include:

  • The ability to take screenshots.
  • The ability to modify files.
  • The ability to access email and web browser credentials.
  • The ability to manipulate and kill running system processes.

General description of WSHRAT

The malware surfaced for the first time in 2013 when it was known under the name H-worm. At the time, it was a RAT written in VBS (Visual Basic Script) programming language. Already, some samples featured code obfuscation and the malware packed with some advanced info-stealing functions.

The malware was developed by a user known in the underground community as Houdini. Houdini used to host a website, where people could learn about the capabilities of the RAT from an explanation video. Analysis of the content allowed researchers to conclude with a high degree of certainty, that Houdini is likely to be Algerian. This is mainly based on his fluent knowledge of French and Arabic languages.

It should be noted while analyzing the first samples of WSHRAT, researchers found out that it has similarities in command and control infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy. These are all RATs operated by the njq8 cybergang. It is likely, that Houdini is collaborating with the gang, or he could even be a part of the njq8 syndicate.

The malware became relatively popular and VBS versions circulated in the wild for a while. In 2015, the author came out with an announcement of his plans to rewrite the malware in the Delphi programming language.

However, another version that researchers started investigating in 2016 still used VBS. This time, the RAT came in SFX files and exhibited new behavior. For example, it would launch a YouTube or open a browser URL as a decoy to hide its execution and infection happening in the background. Among others, the 2016 version of WSHRAT can be distinguished by its use of mixed binary and ASCII protocols over TCP.

The newest version of WSHRAT has popped up in 2019. This iteration of the malware targets the commercial banking sector. The RAT was completely rewritten in JavaScript from the original code of Visual basic. However, most aspects of the updated version remained identical to the older iterations. For example, it uses the same URL structure for C2 servers and exhibits similar behavior patterns.

This version is available to purchase for 50 USD and it is heavily marketed on the underground forums. In particular, the marketing campaign highlights such features of the RAT like WinXP-Win10 compatibility and a large number of information stealing and remote control functions.

Malware analysis of WSHRAT

The ANY.RUN malware hunting service provides a video, where researchers can see the execution process of WSHRAT.

Wshrat process graph

Figure 1: Shows the Wshrat graph of processes created by the ANY.RUN interactive malware analysis service.

WSHRAT execution process

Execution process of WSHRAT is straightforward — after the trojan makes its way into the system as a script file it either runs directly by wscript process or uses system processes such as powershell and regasm for persistence and defense evasion. After it gains persistence in the system, WSHRAT starts sending requests to the C2 server for further commands and fetches additional payloads such as its modules with different functionality.

Distribution of WSHRAT

Criminals commonly distribute WSHRAT with emails that contain infected attachments. There is evidence to believe that this RAT is used both in highly targeted attacks as well as in more broadly distributed email spam campaigns. Phishing is used to trick victims into installing the malware.

How to detect WSHRAT?

Sometimes valuable information about the malware family can be found in the network activity. Wshrat is not an exception. This malware sends HTTP requests to the Command & Control server using POST method and it names itself as a User-Agent. You can find details at "HTTP Requests" tab by clicking at "POST" method icon. In an opened window, take a look at the User-Agent and if it says WSHRAT, you know which malware family you are dealing with.

Wshrat request details

Conclusion

The danger of malware like WSH RAT lies not only in its robust feature set as a RAT but also in its morphing capability. Writing in VBS helped the attackers to push out an incredible number of versions. While security researchers were busy analyzing one sample, a new iteration could be released into the wild.

In cases like this, the ability to perform research fast is of crucial importance. This is especially true if we consider that certain samples of WSHRAT use code obfuscation and encryption that render static analysis ineffective. This means that a more complicated and time-consuming dynamic analysis is a must.

Thankfully, interactive analysis services like ANY.RUN help solve this problem. ANY.RUN allows launching samples in a secure, interactive online environment, where researchers can choose a variety of system parameters that influence the flow of execution. This vastly accelerates the research process and the results are presented in real-time.

IOCs

IP addresses
192.169.69.25
178.73.192.76
178.73.192.76
79.134.225.42
79.134.225.76
185.19.85.143
179.14.168.79
37.221.113.68
193.38.55.41
185.244.30.19
79.134.225.121
194.5.97.14
191.88.251.231
185.244.30.3
46.246.84.74
216.38.7.245
23.239.31.129
79.134.225.72
194.127.178.103
179.43.166.32
Hashes

No hashes found

Domains
isns.net
scca.duckdns.org
booking.msg.bluhotels.com
booking.msg.bluhotels.com
majul.com
https.webemail.office.tr0uakvdlhfpux0h14z3glqe8uhjd.k67ohsh74r947lhd1mkh6.77h6bvhxdy9khha143q.601at76hd7p8jzjyps8xnsk0m.utzs74k51hiknye31.6fqf25lg71d7qujv1lm6s0jl64k70.leb7ycqkqa2hc7lolftj1tkrho.bdvehe.duckdns.org
webemail.office.tr0uakvdlhfpux0h14z3glqe8uhjd.k67ohsh74r947lhd1mkh6.77h6bvhxdy9khha143q.601at76hd7p8jzjyps8xnsk0m.utzs74k51hiknye31.6fqf25lg71d7qujv1lm6s0jl64k70.leb7ycqkqa2hc7lolftj1tkrho.bdvehe.duckdns.org
javiersalazar87.duckdns.org
mail123.duckdns.org
javiertrabajovalle.duckdns.org
wsdykung37communicationtarisupliermgcxa.duckdns.org
orlandoblunblun2020.duckdns.org
myfrontmanny.duckdns.org
switchtocloudsystemwithservergoogleapi.duckdns.org
u7546u53y4wrewegrdfgwe.duckdns.org
coustmers.duckdns.org
coustmers.duckdns.org
juliochar01.duckdns.org
sukablyat.duckdns.org
suka-blyat.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More