• The Remote Access Trojan now employs a different obfuscation technique compared to the ones observed earlier.
  • It uses the DynamicWrapperX component to deploy an injector which subsequently drops njRAT.

Security researchers have discovered a new version of the infamous Hworm a.k.a njRAT. This Remote Access Tool (RAT) is widely known for targeting organizations in the Middle East. According to researchers from Morphisec, a security firm based in Israel, njRAT had a new obfuscation technique to evade from security software installed on the victims’ computers.

How does it work?

  • In their blog, Morphisec researchers indicate that this new version uses a fileless VBScript injector that leveraged DynamicWrapperX. This component has also been reportedly used by other RATs such as DarkComet, and KilerRAT, among others.
  • Hworm’s attack campaign works in two stages. The first stage involves an obfuscated or encoded VBS file dropped into the victim system.
  • This file has three base64 streams, with one of them holding the DynamicWrapperX. A script downloaded by DynamicWrapperX checks if the infected system is 64-bit or not to decide the right attack script and then goes on to drop Hworm. The second stage forms the execution part of Hworm where it takes over the victim computer.

Deployed in phishing attacks

Researchers suggest that the new version of Hworm might be used by threat actors for large phishing attacks. “Today we see this attack employed on a regular basis as part of widespread spam phishing campaigns - if successful, Hworm gives the attacker complete control of the victim’s system,” the researchers wrote.

Cyber attacks leveraging Hworm are known to target the energy industry, primarily in the Middle East. However, this new version might also be used to target other countries.

Cyware Publisher