However, recently there was one in particular using some malicious JavaScript as an attachment quite interesting. Some samples of the campaign can be found here and here
The payload in those campaigns delivered the malware "wsh RAT". This malware family is quite new, however the actor behind is not new at all, but linked to some other crypters services mentioned in this blog.
Analysis of the code - overlap with Uknowncrypter and Fudcrypt
While I did the analyses of the sample here I found several interesting points which I will detail here.
The obfuscation mechanism used is very similar in terms of the 'algorithm' and base64 encoding to the one used in unknowcrypter and Fudcrypter
The final decoded payload leads to some interesting indicators.
This code is similar Vjw0rm which is used by unknowcrypter. Also, the host "unknownsoft.duckdns[.]org" was used by uknowncrypter at some point.
But the most interesting aspect is the skype ID "unknown.sales64"
The skype ID is linked to the domain http[:]//www.wshsoftware[.]site where WSH RAT is sold.
The capabilities of this RAT are described in the website:
A full video of the capabilities of this RAT is also linked in the main website
https://youtu.be/rdG16vk9qNQ
According to the video and some screenshots the malicious payload can be generated in VBS and JS
Unknowcrypter generates JavaScript code while Fudcrypt VBS code, however the code in essence was the same in both cases, as showed in the post here
The domain wshsoftware[.]site has been registered with the email address stonexevans@gmail[.]com
This same email address was used to register the domain "fudcrypt[.]com" which was used to sell Fudcrypt service at some point
So "WSH RAT", "unknowcrypter" and "Fudcrypt" are linked between them
In the next blog I will dig into the code and capabilities of the malware
