Worm code dumped online over hundreds of times, find researchers

DECCAN CHRONICLE.
Published May 28, 2017, 6:42 pm IST
Updated May 28, 2017, 6:42 pm IST
In a blog post by the security researchers from Recorded Future, they discovered increase in malicious Visual Basic scripts on paste sites
(Representational Image)
 (Representational Image)

In another happening, the code of another worm has been dumped online. The discovery was made by security researchers from Recorded Future found. It seems that over the past several months, the Houdini worm has been posted hundreds of times on paste sites.

Houdini, also known as H-Worm, has been around for about four years. Back in 2014, it was reportedly used in attack campaigns in the Asia-Pacific region, while last year it was associated with an espionage campaign in the Middle East.

 

In a blog post by the security researchers from Recorded Future, they discovered an increase in malicious Visual Basic scripts on paste sites. After looking closer into the situation, they figured that most of these scripts were actually Houdini's code.

Also, it looks like as if a single individual was behind all these dumps. "The individual(s) reusing this Houdini VBscript are continually updating with new command and control servers," the researchers wrote.

Over 213 posts were discovered on paste sites, which included 105 unique subdomains, 1 domain, and 190 hashes. Researchers have stated that some of these posts were exact matches, while others used the same domain, but featured multiple other changes within the VBscript.

"After analyzing and executing one of the VBScripts in a controlled environment, we were able to confirm that the VBScript communicates to the C2 server defined within the script. It then copies itself into a directory and establishes persistence by creating a registry key in one of the startup locations," reads the report.

Some of the sub-domains appeared to be a play on the name Mohammed Raad. Running the name through Google returns a Facebook profile of an individual who claims to be part of Anonymous in Germany and uses Vicswors Baghdad as an alias.

...




ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT