What is WSH RAT?

WSH RAT is a clandestine remote access tool that, in the hands of malicious cyber criminals, can become a seriously dangerous weapon. The infection appears to have been unleashed at the beginning of June, and it is currently actively sold on underground forums, where schemers, hackers, and virtual attackers reign. At the time of research, analysts found the threat to be sold for a mere $50 per month. That is not a lot of money under any circumstances, and, undoubtedly, attackers are exploiting the opportunity to use a seemingly well-established RAT. Unfortunately, the scale of this malware is yet to be determined, but, without a doubt, everyone needs to take appropriate security measures to ensure that operating systems are guarded against it. Detecting this malware once it is in might be very difficult, and some victims might discover it by chance. In any case, deleting this malware is crucial, and you will find useful WSH RAT removal tips in this report.

How does WSH RAT work?

You should be aware by now that a good portion of all malware infections in this world is distributed with the help of phishing campaigns. WSH RAT is spread using this security backdoor too. The attackers might create a bogus email message that might try to mimic messages sent by banks, telecommunication companies, post, airlines, poplar e-vendors, and other familiar companies. The messages are meant to push victims into taking a certain action, and in the case of WSH RAT, it is clicking an attachment. According to our research, the attachment should open an .MHT file that contains a link that then opens a downloader for a .ZIP file. If the victim saves and opens the file, the malicious RAT is executed silently. It appears that this malware is a new variant of the Houdini Worm, and it also has similarities with two other well-known and well-analyzed infections, njRAT and njWorm. Basically, this threat is a mutant of large scale, and so it is expected to be very powerful. Hopefully, targeted users unveil the scam right away and delete the malicious emails without even clicking the attachment.

Once in, WSH RAT drops its malicious payload to %APPDATA% and also adds itself to the system’s startup at %APPDATA%\Microsoft\Windows\Start Menu\Startup. The name of the malicious files is random, but it is introduced as a .JS file. The file in the %APPDATA% directory also has a point of execution placed in the Windows Registry, HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run. These are the elements of the infection that you need to delete before the threat starts performing in a malicious manner. Unfortunately, it takes no time for this to happen. WSH RAT silently connects to a malicious site to download three files named klplu.tar.gz, bpvpl.tar.gz, and mapv.tar.gz, all of which are malicious .exe files that require removal too. These three files represent a keylogger, a mail credential viewer, and a browser credential viewer that can record your keystrokes to obtain private and sensitive information (e.g., passwords), can help hijack your email accounts, as well as extract the login credentials stored on your web browsers. Without a doubt, these additional components are dangerous, and that is what makes the RAT a serious threat that must be deleted instantly.

How to remove WSH RAT

When researching the malicious WSH RAT, the AgentTesla keylogger was dropped to log sensitive data. It was also found that the dangerous NanoCore RAT could come bundled with the RAT as well. Overall, if the malicious WSH infection finds its way in, it can seriously jeopardize your overall security, as all kinds of dangerous threats could start flooding in with its assistance. Preventative measures are extremely important in this case because you do not want to let the infection in at all. That means that you need to be careful about the emails you interact with and that you need to implement reliable security software to defend you and your entire operating system at all times. If you need to delete WSH RAT, install anti-malware software now, and the infection will be deleted automatically. If you are more interested in manual removal, check out the guides below, and DO NOT skip the last step. Performing a full system scan is a crucial step.

Removal Instructions

  1. Simultaneously tap Win+E keys to access Explorer.
  2. Enter %APPDATA% into the quick access box to access the directory.
  3. If you find a malicious [random name].js file, right-click and Delete it.
  4. Access the %APPDATA%\Microsoft\Windows\Start Menu\Startup directory and repeat step 3.
  5. Access the %TEMP% directory and check for malicious .JS and .EXE files. If you discover suspicious files and can identify as malicious, right-click and Delete them.
  6. Simultaneously tap Win+R keys to access the Run dialog box.
  7. Enter regedit and click OK to access Registry Editor.
  8. Navigate to HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run in the pane on the left.
  9. Right-click and Delete any [random name] values that are linked to malware.
  10. After all of these steps are completed, Empty Recycle Bin.
  11. Install and run a legitimate malware scanner to see if your system is clean or if you need to delete leftovers. 100% FREE spyware scan and
    tested removal of WSH RAT*

Leave a Comment

Enter the numbers in the box to the right *