New WSH Malware Targets Banking Customers

The threat actors behind the H-W0rm/Houdini malware released a new variant, dubbed “WSH,” which was observed in phishing campaigns targeting financial institutions and their customers. The actors masquerade as legitimate banks, such as HSBC, and send .mht web archive files to users that, when opened, directs them to a .zip archive containing the malware. Once downloaded, the malware retrieves additional executables that provide a Windows keylogger, a mail credential viewer, and a browser credential viewer, with the ultimate goal of stealing user account credentials. WSH is currently sold on underground forums as a $50 per month subscription. The NJCCIC recommends users avoid clicking on links and opening attachments from unsolicited or unexpected emails, even those appearing to be from known companies. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. Additionally, educating end users about this and similar threats can reduce victimization. Additional details may be found in the Cofense post.