Security experts at Recorded Future tracked a German hacker for the propagation of the Houdini worm through Pastebin sites.

A German hacker that goes online with the moniker Vicswors Baghdad is the responsible for the propagation of the Houdini malware on Pastebin sites.

According to the expert at Recorded Future, the same threat actor appears to be the author of an open source ransomware variant called MoWare H.F.D.

Experts at Recorded Future have observed three distinct spikes in malicious Visual Basic scripts posted on paste sites, in August, October, and in March 2017.

Most of the scripts are used to spread the Houdini worm, a threat that first appeared in 2013 and was updated in 2016.

“In early March 2017, we began to notice an increasing number of malicious VBScripts posted to paste sites. The majority of these VBScripts appeared to be Houdini. Houdini is a VBScript worm that first appeared in 2013 and was updated in 2016.” states the analysis published by Recorded Future. “The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers. After further defining our search criteria, we isolated the Houdini scripts and quickly identified three distinct spikes around August, October, and March of this year.”

Recorded Future discovered 213 malicious posts to Pastebin sites, involving a single domain with 105 subdomains, the experts have found 190 hashes.

The domains and subdomains are from a dynamic DNS provider, the attribution was impossible because threat actors published the VBScript for the Houdini worm on guest accounts.

However, the experts were able to determine the name of the registrant for one domain, microsofit[.]net, it is “Mohammed Raad,” and the associated email is“vicsworsbaghdad@gmail.com,” from “Germany.”

Googling the above information, the researchers discovered a Facebook profile using the identical information. According to the profile, Mohammed Raad is a member of a German cell of Anonymous, it uses Vicswors Baghdad as an alias.

The researchers also highlighted that the Facebook profile also includes a recent conversation related to the MoWare H.F.D ransomware.

“The Facebook profile displays a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. It appears that they are studying, testing, and possibly configuring a ransomware.” continues the analysis.

“Upon further inspection of the screenshot posted on the “vicsworsbaghdad” Facebook profile, we noticed that the ransomware being configuring is an open source version available by commenting on the creator’s YouTube video. An account “Vicswors Baghdad” commented asking where he can find the file to download, to which the developer commented that they sent a private message. The account “Vicswors Baghdad” uses the same email “vicsworsbaghdad@gmail.com” as the registration of microsofit[.]net.”

Further details, including the threat actor profile, are available in the post published by Recorded Future.

Pierluigi Paganini

(Security Affairs – Houdini Worm, hacking)

Share this...

Linkedin Reddit Pinterest

Share On