Down the H-W0rm Hole with Houdini's RAT

Executive Summary

Commodity Remote Access Trojans (RATs) -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals. RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity. We're constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker.

There have been recent reports about a new version of one such commodity RAT, H-W0rm (Hworm), and the various campaigns it is being used in. Our telemetry shows that H-W0rm is one of the most active RATs we've seen, with infections observed across virtually all enterprise verticals and geographies in which Fidelis Cybersecurity products are deployed.

In this advisory the Threat Research Team at Fidelis Cybersecurity is supplementing these recent reports by providing the security community with the following:

  • Technical descriptions of the payload behavior when installed on the victim machine.
  • Domains observed in active infections over the past six months. We also make a larger mined dataset available through Fidelis Barncat, a malware configuration intelligence database shared at no cost with trusted third parties.
  • Artifacts correlating Hworm C2 domains with njRAT, XtremeRAT and DarkComet.
  • Yara rules that can be used to detect the VBS and PE versions of H-W0rm.


Related on Threat Geek:

Fidelis Threat Advisory - Down the H-W0rm Hole with Houdini's RAT

Download Full Threat Advisory

Down the H-W0rm Hole with Houdini's RAT