Houdini Malware Used in New WayCato Networks: Malware Now Used to Spoof Devices
Researchers at SASE platform provider Cato Networks say they have discovered a novel use of the Houdini malware variant for spoofing of devices.
The findings were reported in Cato's second-quarter analysis report, the Cato Networks SASE Threat Research Report Q2-2021. The researchers analyzed 263 billion enterprise network flows between April and June 2021 for the report.
New Use of Houdini
Spoofing device IDs has been a top priority for attackers, evolving from simple point solutions to cloud-based services, the report says. The Cato Networks research suggests that device identity spoofing threatens to become far more prevalent.
"Houdini is a well-known RAT, but our research shows this particular use is novel. Houdini exfiltrated data within the user agent field, an approach often undetected by legacy security systems. Cato Research Labs only identified such threats by cross-correlating security and network information," the report says.
Popular with Middle Eastern and North African threat actors, Houdini is widely available for download in numerous Arabic language hacking forums for a low price or free, the report says. Spoofing as a service is one such purchase avenue, in which cybercrime forums provide virtual or physical machines based on specified requirements for attackers to use to launch an attack.
While the malware, and its worm-like spreading mechanism, is not a new threat, its new capabilities illustrate the lengths malware writers will go to when attempting to remain hidden from point solutions, the report says.
After an infection, Houdini collects system data to understand which types of security solutions are implemented and also to help the attackers overcome device ID solutions.
Attackers have started gathering data on the systems they infect so that later they can use this data to spoof and circumvent device ID solutions.
Houdini uses WMI and the system environment to collect volume serial, computer name, operating system, and antivirus data and send it to its command-and-control server.
The malware also offers its operators multiple commands and status updates, including process enumeration, directory enumeration, update and execution commands, and shell commands, the researchers say. It updates the command-and-control server if it has infected the machine via a compromised USB drive. As part of the beaconing process, Houdini sends packets to its C&C server with the status of the client in the URL, inserts the collected data in the user-agent header and waits for instructions from its C&C server.
While device ID spoofing has been around for a while, malware developers are upping their game, says Etay Maor, senior director security strategy at Cato Networks.
"With 'trust adoption' growing constantly, and contextual authentication being part of a ZTNA, attackers are making sure they find new ways to circumvent these security solutions, and Houdini is proof of that," he says.
Threat to Risk Assessment
Separately, the Cato Networks report investigated Amazon Sidewalk and highlighted the security impact of the use of personal devices by employees for work purposes.
The company found "hundreds of thousands" of Amazon Sidewalk flows in its worldwide analysis, with some enterprises having hundreds of such devices accessing their enterprise networks.
In May, the company found that enterprise networks were populated by consumer applications, with the most popular being TikTok, which had millions more flows than Google Mail, LinkedIn or Spotify. The increase in consumer applications not only consumes bandwidth, it also poses a security risk to enterprises, Maor said.
“With lines blurring between the home office and the corporate network, more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment," he says. “How can you possibly assess company risk when there is no visibility to what devices and applications truly reside on the network?”