You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- H-Worm RAT: An insight into the VBS-based infamous RAT Houdini/H-Worm

H-Worm RAT: An insight into the VBS-based infamous RAT Houdini/H-Worm
H-Worm RAT: An insight into the VBS-based infamous RAT Houdini/H-Worm- June 1, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/iStock-519335916.jpg)
- Houdini RAT shares its Command and Control (C&C) infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy.
- Its capabilities include stealing system information and passwords, keylogging, downloading, renaming, executing, and deleting files, capturing screenshots, viewing webcam, updating and uninstalling itself.
H-Worm, also known as Houdini, Jacksbot, and SocGholish is a Remote Access Trojan which was first spotted in 2013. A threat actor from Germany named Mohammed Raad who goes by the handle name ‘Vicswors Baghdad’ is suspected to be behind the propagation of the Houdini malware on Pastebin sites.
This RAT shares its Command and Control (C&C) infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy.
What are its capabilities?
The Remote Access Trojan’s capabilities include,
- Stealing system information and passwords
- Keylogging
- Downloading, renaming, executing, and deleting files
- Capturing screenshots
- Viewing webcam
- Updating and uninstalling itself
Houdini distributed via malspam campaign
- H-Worm/Houdini RAT is distributed via malspam emails that include malicious links.
- Upon clicking the link, users are redirected to a malicious website that offers a zipped visual basic script (VBS).
- Once users download and run the VBS file, H-Worm gets installed on their computers.
BEC campaign distributes H-Worm
In December 2018, researchers observed a Business Email Compromise (BEC) campaign that leverages a Google Cloud Storage service to spread the Houdini RAT. This campaign targeted banks and financial institutions in the US and UK.
H-Worm drops Adwind RAT
Researchers observed a new campaign, wherein the Houdini/H-Worm RAT is leveraged to infect computer systems with Adwind RAT. Adwind RAT is capable of collecting keystrokes, stealing passwords and data from web forms, taking screenshots and video from webcams, and transferring files to the remote server.
A new variant
In May 2019, researchers spotted a new variant of H-Worm that uses new obfuscation techniques to evade detection from antivirus software. This new version uses a fileless VBScript injector that leveraged DynamicWrapperX component to drop the njRAT.
This DynamicWrapperX component has also been used by other RATs such as DarkComet and KilerRAT.
- + Aware
Get such articles in your inbox
News
-
Next News Fin7: An insight into the threat actor group’s high profile attacks
- June 1, 2019
- |
- Threat Actors
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Next News Fin7: An insight into the threat actor group’s high profile attacks
- June 1, 2019
- |
- Threat Actors
Popular News
Related News
Categories
