Friday, October 4, 2019

Fudcrypt using H-Worm from WSH RAT

Fudcrypt builder, like WSH RAT builder uses HWorm. The last version of the builder from 24th of September provides some interesting insight:


In the case of Fudcrypt, compared with WSHRAT, the HWorm payload, in VBS, is not included as a resource, but is pull from a remote URL. This payload is then obfuscated with a routine. The code of the routing is below:

The interesting part is that the plain text payload (HWorm) contains  "live:unknown.sales64". Unknown.sales64 is the actor behind WSHRAT and the skype ID is always in the header of the HWorm in VBS and JS.

The User-agent is also "WSHRAT" .

In terms of the code and functionality of the HWorm used by Fudcrypt, is not the latest version used in WSH RAT. It is possible Fudcrypt actors don't have access to the latest version of the WSHRat where the newer code is used

With Fudcrypt it is also possible to 'crypt' Java files. In order to do that, the builder contains the full Java JRE environment:

The code to create and 'crypts' the  Java code works in a similar way than the VBS.

WSH RAT - Analysis of the code

Analysis of the code - capabilities of WSH RAT

In previous post I wrote about the link between WSH RAT and some other crypter services so in this post I'm going to dig a bit in the analysis on the code.

In essence, WSH RAT generates malicious JS or VBS based on the HWorm, and a good write-up about the functionalities of version  2.0 of HWorm has been recently done by   in this post, but I will add a couple of interesting things.

WSH RAT builder

I took a look to one of the WSH RAT builders from a few months back (a version from July).
The builder acts as well as the C2.

The first interesting aspect is that the malicious payload, which it is HWorm, (both in VBS or JS) is included in the resources.

WSH RAT plugins

All the additional plugins for RDP, filemanager, offline-keylogger, etc, are linked to a URL which are part of the builder itself. This means that the plugins are allocated in a system owned by the developer of the builder, so the criminal using the builder doesn't have any control on the plugins being pushed to the infected system:

In the post from   the additional plugins are hosted in the domain "doughnut-snack[.]live" which is registered with the account  

Unknow.sales64 is the Skype ID of the person behind the builder who sells the service in wshsoftware[.]site

Password stealer

The password stealer capability is based on the PasswordStealer tool from @trestacon github

Download and Execute / Upload and Execute

WSH Rat is used to deploy additional malware. As mentioned previously, the builder is also acting as the C2. 

The additional payload can be pushed in two different ways: downloading the file from an external URL, or uploading the file through the WSH builder. Code for both methods are below: