A threat actor from Germany that goes by the handle Vicswors Baghdad appears to be behind the propagation of the Houdini malware on Pastebin sites—as well as actively editing an open source ransomware variant called MoWare H.F.D.
According to Recorded Future analyst Daniel Hatheway, there have been three distinct spike in malicious Visual Basic scripts (VBScript) posted on paste sites, the majority of which are the Houdini worm. Houdini first appeared in 2013 and was updated in 2016; the new spikes occurred last August and October, and in March of this year.
“The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers,” Hatheway said in an analysis. “The VBScript communicates to the C2 server defined within the script. It then copies itself into a directory and establishes persistence by creating a registry key in one of the startup locations.”
In all, Recorded Future uncovered 213 malicious posts to Pastebin sites, encompassed in 105 subdomains under one domain, with 190 hashes. The domains and subdomains are from a dynamic DNS provider, but since all of the Houdini VBScript are published on guest accounts, attribution was difficult.
Nonetheless, the company was able to glean information from one domain, microsofit[.]net.: Someone named Mohammed Raad registered the domain using the email vicsworsbaghdad@gmail.com, with the country listed as Germany; and some of the subdomains appeared to be created by someone using a play on that name.
Further, a Google search revealed a Facebook profile using the identical information to the registration info from the domain; the profile indicates that Mohammed Raad is part of Anonymous, from Germany, and uses Vicswors Baghdad as an alias.
The Facebook profile also displays a recent conversation pertaining to the MoWare H.F.D ransomware.
“It appears that they are studying, testing and possibly configuring a ransomware,” Hatheway said. “The ransomware being configured is an open source version available by commenting on the creator’s YouTube video. An account, Vicswors Baghdad, commented, asking where he can find the file to download, to which the developer commented that they sent a private message. The account Vicswors Baghdad uses the same email (vicsworsbaghdad@gmail.com) as the registration of microsofit[.]net.”