Threat of the Week: H-Work (Houdini)/Jacksbot and SocGholish

Share with your network!

Each week we host a Threat of the Week webinar featuring a high-level look at interesting threats to help security teams navigate the attack landscape. Last week, we explored Shankar's Virus and Coinhive, a cryptocurrency miner commonly missed by legacy email security vendors. And this week, we chose to feature "H-Worm(Houdini)/Jacksbot" and "SocGholish".

H-Worm(Houdini)/Jacksbot arrives in a user's inbox as links encouraging potential victims to go to a website and download a zipped visual basic script(VBS). If the user unzips and runs the VBS file H-Worm(Houdini) and Jacksbot could be installed on their computer.

H-Worm(Houdidni) is a remote access toolkit(RAT) that allows Threat Actors complete control over the victim's computer. There are no tricks that will hide you once H-Worm(Houdini) is installed.

Jacksbot is a Java backdoor.  If the victim has Java installed on their computer, Jacksbot will be installed.  Don't think you use Java? Take a look in your programs on your computer, you'd be surprised!  Once on the user's computer Jacksbot goes to work gathering intelligence, taking screenshots, uses your computer to perform denial of service attacks (DDos), deletes files, steals passwords and performs click frauds sending advertising money to Threat Actors by using your computer.

Another threat that caught our attention was SocGholish. The SocGholish malware rivals the best Rube Goldberg Machine. This malware is a RAT and banking trojan that convinces users to go to fake browser and Flash updates, which convince the victim that they need to upgrade their software.  If the upgrade button is clicked, a JavaScript hosted on DropBox is executed and will download either NetSupport Manager or Chthonic, depending on the victim's geography.

In the United States and Canada, NetSupport Manager, a legitimate remote control software, will be downloaded onto unsuspecting victim's computers. This allows the Threat Actors complete control over the user's computer. If you happen to be in the United Kingdom and sometimes Canada, you will receive Chthonic, a banking trojan based on ZeusVM. Chthonic exploits the Microsoft Windows installation service, msiexec.exe, web cameras, keyboards inputs and allows remote control over the victim's computer. Although the software and methods are different, Chthonic's end goal is computer control and credential harvesting.

Learn more about these threats and how to best combat them by listening to the full webinar here.