<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">
Posted by Arnold Osipov on May 13, 2019


Hworm/njRAT is a Remote Access Tool (RAT) that first appeared in 2013 in targeted attacks against the international energy industry, primarily in the Middle East. It was soon commoditized and is now part of a constantly evolving family of RATs that pop-up in various new formats. Today we see this attack employed on a regular basis as part of widespread spam phishing campaigns - if successful, Hworm gives the attacker complete control of the victim’s system. Morphisec Labs recently observed a new version with a minor modification to its obfuscation technique.

Technical Description:

The attack uses the kind of fileless VBScript injector, leveraging DynamicWrapperX, that has been seen used in the wild by RATs such as HWorm, DarkComet, KilerRAT and others. We observed a new obfuscation level, as the distribution of this RAT is still changing and running. We will describe the injector stage and how it used to load Hworm/Houdini RAT.

Stage 1

The payload is a VBS file, which, in some cases, comes obfuscated or encoded with couple of layers.

Figure 1: Obfuscated VBScript

The next stage VBS file contains 3 chunks of base64 streams:

DCOM_DATA:  Holds a PE file, which is DynamicWrapperX. It allows to call functions exported by DLL libraries, in particular Windows API functions, from JScript and VBScript.

LOADER_DATA: Holds RunPE shellcode.

FILE_DATA: Holds the shellcode that is injected to the host process. This will be discussed later.

As the script executes, it drops a copy of itself into %appdata%\Microsoft and gains persistence by editing the registry key:  ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run’.

  • The script checks whether the current environment is 64bit or not. If it is, it will execute the script with a 32-bit version of wscript.exe (from SysWOW64).
Figure 2 : Execute with 32-bit version of wsscript.exe
  • It determines the path for the host process that FILE_DATA will be injected into. There are two options – ‘wscript.exe’ or ‘msbuild.exe’. In our samples, the flag that decided which path to use was hardcoded (set to True), thus, always chose msbuild.exe.
Figure 3 choose host process
  • DCOM_DATA is decoded and dropped to %temp% directory under the name “HOUDINI.BIN” and registered with regsvr32.exe. It creates an object instance named “DynamicWrapperX” and registers two DLL functions: “CallWindowProcW” from “User32.dll” and “VirtualAlloc” from “Kernel32.dll”. It uses VirtualAlloc to allocate memory for the RunPE shellcode and FILE_DATA shellcode, then, invokes it using CallWindowProcW.
Figure 4 invoke injection procedure

Stage 2

The second stage is basically FILE_DATA which is injected to ‘msbuild.exe’ using LOADER_DATA (RunPE). FILE_DATA is base64 encoded – trying to decode and look at it does not yield information, as there is another layer of encoding.

Figure 5 FILE_DATA base64 decoded

LOADER_DATA (RunPE shellcode) is responsible for the second decoding routine.

Figure 6 After LOADER_DATA decoding

Eventually, we see FILE_DATA is a portable executable, written in Dot Net. Looking at the decompiled source code we can see Hworm (njRAT) configuration.

Figure 7
  • “svchost.exe” - Trojan exe.
  • “AppData” - Installation path.
  • “183d24d29354086f9c19c24368929a8c” - Mutex name.
  • “chroms.linkpc.net” - C2 address.
  • “11” - Port.
  • “boolLove” - Socket key.


Morphisec protects against Hworm and similar attacks. By applying Moving target defense technology, we deterministically prevent this attack without relation to signatures / patterns or obfuscation techniques. 


Domain C2s:

  • chroms[.]linkpc.net
  • salh[.]linkpc.net
  • finix5[.]hopto.org
  • finixalg11[.]ddns.net


  • b936e702d77f9ca588f37e5683fdfdf54b4460f9
  • 329bb19737387d050663cce2361799f2885960b2
  • a5e1c1c72a47f400b3eb69c24c5d2c06cc2e4e0f
  • 27cf0b9748936212390c685c88fa4cf1233ca521
  • d5f352cba7be33b0993d5a59ff296fbd4b594a6e
  • 82eb7aeedc670405de56ea1fef984fe8294efcfd
  • d91f060037aaa59a0ad4622c9f3bc5e86e4eb4cd
New Call-to-action
Read More
Posted by Michael Gorelik on October 8, 2018


Over the past year, Morphisec and several other endpoint protection companies have been tracking a resurgence in activity from the Cobalt Group. Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries

Read More
Posted by Tom Bain on September 7, 2018

The cybersecurity attack landscape moves fast, really fast. Last year, not a week passed that didn’t bring about news on a new ransomware incident. Of course ransomware’s very nature lends itself to newsworthy headlines based on how incredibly damaging to businesses this class of attacks can be.

Read More
Posted by Roy Moshailov on August 12, 2018

Fileless malware is a type of a malicious code execution technique that operates completely within process memory; no files are dropped onto the disk. Without any artifacts on the hard drive to detect, these attacks easily evade most security solutions.

Read More
Posted by Roy Moshailov on June 27, 2018

A new highly sophisticated botnet incorporating numerous malicious, evasive techniques is quickly spreading its tentacles. Dubbed MyloBot, the botnet uses an usually complex chain attack and combines multiple anti-analysis techniques to make it more difficult to detect the payload and harder to analyze by security researchers. Initial research published by Deep Instinct points out that everything on the victim’s end takes place in memory, while the main business logic of the botnet is executed in an external process using code injection. This makes it even harder to detect and trace.

Read More
Posted by Michael Gorelik on March 23, 2018

On March 21,2018, Morphisec Labs began investigating the compromised website of a leading Hong Kong Telecommunications company after being alerted to it by malware hunter @PhysicalDrive0. The investigation, conducted by Morphisec researchers Michael Gorelik and Assaf Kachlon, determined that the Telecom group's corporate site had indeed been hacked. Attackers added an embedded Adobe Flash file that exploits the Flash vulnerability CVE-2018-4878 on the main home.php page.

Read More
Posted by Morphisec Team on January 11, 2018

With a turbulent 2017 finally behind us, what’s the cybersecurity forecast for 2018? Some predictions need no crystal ball – the cyber labor shortage will continue, spending on security solutions will go up, the breaches that do occur will be bigger and messier. But what else is in store for 2018? Morphisec’s VP Sales Arthur Braunstein, VP Product Netta Schmeidler and our co-founder Dudu Mimram weigh in.

Read More
Posted by Morphisec Team on December 28, 2017
Posted by Michael Gorelik on November 29, 2017

A report co-authored by Michael Gorelik, CTO and VP R&D, and Roy Moshailov, Malware Research Expert at Morphisec.

Fileless malware is a type of a malicious code execution technique that operates completely within process memory; no files are dropped onto the disk. Without any artifacts on the hard drive to detect, these attacks easily evade current detection solutions.

Read More
Posted by Arthur Braunstein on October 5, 2017


In about two weeks, I’ll be participating in the Mid Market CIO Forum in Austin, Texas. Events such as these are vital as they bring IT professionals together in a setting that is intimate enough to get real answers to their unique set of challenges. For cybersecurity practitioners in particular, the market is incredibly confusing. On top of a profusion of various technologies you have a rapidly changing threat landscape where the threat of the day seems to dictate the conversation.

The article below was sent to attendees of the Mid Market Forum, but is relevant to many of us in the security field. Only when asking different questions, moving beyond the standard security discussion, will security practitioners find the set of solutions that meets the specific needs of their business.

Read More