14 DAY TRIAL // The code of another worm has been dumped online, security researchers from Recorded Future found. It seems that over the past several months, the Houdini worm has been posted hundreds of times on paste sites.
Houdini, also known as H-Worm, has been around for about four years. Back in 2014, it was reportedly used in attack campaigns in the Asia-Pacific region, while last year it was associated with an espionage campaign in the Middle East.
According to a blog post signed by the security researchers from Recorded Future, they noticed an increase in malicious Visual Basic scripts on paste sites. After looking closer into the situation, they figured that most of these scripts were actually Houdini's code.
What's more, it seems that a single individual was behind all these dumps. "The individual(s) reusing this Houdini VBscript are continually updating with new command and control servers," the researchers wrote.
213 posts were discovered on paste sites, which included 105 unique subdomains, 1 domain, and 190 hashes. Researchers say that some of these posts were exact matches, while others used the same domain, but featured multiple other changes within the VBscript.
"After analyzing and executing one of the VBScripts in a controlled environment, we were able to confirm that the VBScript communicates to the C2 server defined within the script. It then copies itself into a directory and establishes persistence by creating a registry key in one of the startup locations," reads the report.
The analysis further shows that the domains and subdomains discovered in the pastes are from a dynamic DNS provider. Some of the active malware samples communicate with at least one of the paste sites, as well as the host defined in one of the VBscripts.
Who's behind it all?
Some of the subdomains appeared to be a play on the name Mohammed Raad. Running the name through Google returns a Facebook profile of an individual who claims to be part of Anonymous in Germany and uses Vicswors Baghdad as an alias.
Researchers believe that this actor may also be involved in testing out and possibly configuring an open source ransomware called MoWare H.F.D.