Monday, September 2, 2019

WSH RAT and the link to unknowcrypter and Fudcrypt

There are plenty of malspam campaigns using the the code "MT103" from SWIFT to claim some kind of payments. 


However, recently there was one in particular using some malicious JavaScript as an attachment quite interesting. Some samples of the campaign can be found here and here 

The payload in those campaigns delivered the malware "wsh RAT".  This malware family is quite new, however the actor behind is not new at all, but linked to some other crypters services mentioned in this blog.

Analysis of the code - overlap with Uknowncrypter and Fudcrypt

While I did the analyses of the sample here I found several interesting points which I will detail here.

The obfuscation mechanism used is very similar in terms of the 'algorithm' and base64 encoding to the one used in unknowcrypter and Fudcrypter 

The final decoded payload leads to some interesting indicators.

This code is similar  Vjw0rm  which is used by unknowcrypter. Also, the host "unknownsoft.duckdns[.]org" was used by uknowncrypter at some point.  
But the most interesting aspect is the skype ID "unknown.sales64"
The skype ID is linked to the domain http[:]//www.wshsoftware[.]site where WSH RAT is sold.

The capabilities of this RAT are described in the website:

A full video of the capabilities of this RAT is also linked in the main website

According to the video and some screenshots the malicious payload can be generated in VBS and JS

Unknowcrypter generates JavaScript code while Fudcrypt VBS code, however the code in essence was the same in both cases, as showed in the post here 

The domain wshsoftware[.]site has been registered with the email address stonexevans@gmail[.]com

This same email address was used to register the domain "fudcrypt[.]com" which was used to sell Fudcrypt service at some point

So "WSH RAT", "unknowcrypter" and "Fudcrypt" are linked between them

In the next blog I will dig into the code and capabilities of the malware