H-Worm RAT: An insight into the VBS-based infamous RAT Houdini/H-Worm

  • Houdini RAT shares its Command and Control (C&C) infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy.
  • Its capabilities include stealing system information and passwords, keylogging, downloading, renaming, executing, and deleting files, capturing screenshots, viewing webcam, updating and uninstalling itself.

H-Worm, also known as Houdini, Jacksbot, and SocGholish is a Remote Access Trojan which was first spotted in 2013. A threat actor from Germany named Mohammed Raad who goes by the handle name ‘Vicswors Baghdad’ is suspected to be behind the propagation of the Houdini malware on Pastebin sites.

This RAT shares its Command and Control (C&C) infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy.

What are its capabilities?

The Remote Access Trojan’s capabilities include,

  • Stealing system information and passwords
  • Keylogging
  • Downloading, renaming, executing, and deleting files
  • Capturing screenshots
  • Viewing webcam
  • Updating and uninstalling itself

Houdini distributed via malspam campaign

  • H-Worm/Houdini RAT is distributed via malspam emails that include malicious links.
  • Upon clicking the link, users are redirected to a malicious website that offers a zipped visual basic script (VBS).
  • Once users download and run the VBS file, H-Worm gets installed on their computers.

BEC campaign distributes H-Worm

In December 2018, researchers observed a Business Email Compromise (BEC) campaign that leverages a Google Cloud Storage service to spread the Houdini RAT. This campaign targeted banks and financial institutions in the US and UK.

H-Worm drops Adwind RAT

Researchers observed a new campaign, wherein the Houdini/H-Worm RAT is leveraged to infect computer systems with Adwind RAT. Adwind RAT is capable of collecting keystrokes, stealing passwords and data from web forms, taking screenshots and video from webcams, and transferring files to the remote server.

A new variant

In May 2019, researchers spotted a new variant of H-Worm that uses new obfuscation techniques to evade detection from antivirus software. This new version uses a fileless VBScript injector that leveraged DynamicWrapperX component to drop the njRAT.

This DynamicWrapperX component has also been used by other RATs such as DarkComet and KilerRAT.