<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">
Posted by Arnold Osipov on May 13, 2019


Hworm/njRAT is a Remote Access Tool (RAT) that first appeared in 2013 in targeted attacks against the international energy industry, primarily in the Middle East. It was soon commoditized and is now part of a constantly evolving family of RATs that pop-up in various new formats. Today we see this attack employed on a regular basis as part of widespread spam phishing campaigns - if successful, Hworm gives the attacker complete control of the victim’s system. Morphisec Labs recently observed a new version with a minor modification to its obfuscation technique.

Technical Description:

The attack uses the kind of fileless VBScript injector, leveraging DynamicWrapperX, that has been seen used in the wild by RATs such as HWorm, DarkComet, KilerRAT and others. We observed a new obfuscation level, as the distribution of this RAT is still changing and running. We will describe the injector stage and how it used to load Hworm/Houdini RAT.

Stage 1

The payload is a VBS file, which, in some cases, comes obfuscated or encoded with couple of layers.

Figure 1: Obfuscated VBScript

The next stage VBS file contains 3 chunks of base64 streams:

DCOM_DATA:  Holds a PE file, which is DynamicWrapperX. It allows to call functions exported by DLL libraries, in particular Windows API functions, from JScript and VBScript.

LOADER_DATA: Holds RunPE shellcode.

FILE_DATA: Holds the shellcode that is injected to the host process. This will be discussed later.

As the script executes, it drops a copy of itself into %appdata%\Microsoft and gains persistence by editing the registry key:  ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run’.

  • The script checks whether the current environment is 64bit or not. If it is, it will execute the script with a 32-bit version of wscript.exe (from SysWOW64).
Figure 2 : Execute with 32-bit version of wsscript.exe
  • It determines the path for the host process that FILE_DATA will be injected into. There are two options – ‘wscript.exe’ or ‘msbuild.exe’. In our samples, the flag that decided which path to use was hardcoded (set to True), thus, always chose msbuild.exe.
Figure 3 choose host process
  • DCOM_DATA is decoded and dropped to %temp% directory under the name “HOUDINI.BIN” and registered with regsvr32.exe. It creates an object instance named “DynamicWrapperX” and registers two DLL functions: “CallWindowProcW” from “User32.dll” and “VirtualAlloc” from “Kernel32.dll”. It uses VirtualAlloc to allocate memory for the RunPE shellcode and FILE_DATA shellcode, then, invokes it using CallWindowProcW.
Figure 4 invoke injection procedure

Stage 2

The second stage is basically FILE_DATA which is injected to ‘msbuild.exe’ using LOADER_DATA (RunPE). FILE_DATA is base64 encoded – trying to decode and look at it does not yield information, as there is another layer of encoding.

Figure 5 FILE_DATA base64 decoded

LOADER_DATA (RunPE shellcode) is responsible for the second decoding routine.

Figure 6 After LOADER_DATA decoding

Eventually, we see FILE_DATA is a portable executable, written in Dot Net. Looking at the decompiled source code we can see Hworm (njRAT) configuration.

Figure 7
  • “svchost.exe” - Trojan exe.
  • “AppData” - Installation path.
  • “183d24d29354086f9c19c24368929a8c” - Mutex name.
  • “chroms.linkpc.net” - C2 address.
  • “11” - Port.
  • “boolLove” - Socket key.


Morphisec protects against Hworm and similar attacks. By applying Moving target defense technology, we deterministically prevent this attack without relation to signatures / patterns or obfuscation techniques. 


Domain C2s:

  • chroms[.]linkpc.net
  • salh[.]linkpc.net
  • finix5[.]hopto.org
  • finixalg11[.]ddns.net


  • b936e702d77f9ca588f37e5683fdfdf54b4460f9
  • 329bb19737387d050663cce2361799f2885960b2
  • a5e1c1c72a47f400b3eb69c24c5d2c06cc2e4e0f
  • 27cf0b9748936212390c685c88fa4cf1233ca521
  • d5f352cba7be33b0993d5a59ff296fbd4b594a6e
  • 82eb7aeedc670405de56ea1fef984fe8294efcfd
  • d91f060037aaa59a0ad4622c9f3bc5e86e4eb4cd
New Call-to-action
Read More
Posted by Michael Gorelik on March 28, 2019


This week, Kaspersky Lab reported initial details of a new supply chain attack on systems by computer giant ASUS. Dubbed ShadowHammer by Kaspersky, the attack leveraged a malicious version of ASUS Live Update,

Read More
Posted by Alon Groisman on March 1, 2019

Over the past two weeks, Morphisec Labs has identified an increase in AVE_MARIA malware infecting victims through a variety of phishing methods. One of the downloader components and C2 metadata are similar to those we saw in the Orcus RAT attacks last month and we believe they are by the same threat actor.

Read More
Posted by Morphisec Labs on February 27, 2019

This post was authored by Michael Gorelik and Alon Groisman.

Over the past 8-10 weeks, Morphisec has been tracking multiple sophisticated attacks targeting Point of Sale thin clients globally.

Read More
Posted by Morphisec Labs on January 30, 2019

This post was authored by Michael Gorelik, Alon Groisman and Bruno Braga.

A new, highly sophisticated campaign that delivers the Orcus Remote Access Trojan is hitting victims in ongoing, targeted attacks. Morphisec identified the campaign after receiving notifications from its advanced prevention solution at several deployment sites.

Read More
Posted by Michael Gorelik on December 18, 2018

Let’s face it – there are a lot of threat reports and threat data floating around. What makes the Morphisec Labs Threat Report different is the type of threats it analyzes. It focuses on the threats that pose a real risk to organizations, the ones that get past standard and next-generation AI antivirus.

Read More
Posted by Morphisec Labs on December 5, 2018

Today Adobe disclosed a new Flash zero-day, releasing a patch for the critical vulnerability in an out-of-band update. Successful exploitation gives attackers the ability to execute arbitrary code on the targeted machine, and eventually assume full system control. Morphisec customers are already protected from attacks exploiting this vulnerability.

Read More
Posted by Michael Gorelik on November 29, 2018

Note: This post was updated 11-30-18 with details of a new intercepted attack. See technical description below.

Over the past three days, Morphisec Labs researchers have discovered a widespread cyber campaign hitting multiple targets. Morphisec researchers dubbed the campaign “Pied Piper”as it delivers various Remote Access Trojan (RAT) payloads via phishing, across multiple countries.

Read More
Posted by Michael Gorelik on October 8, 2018


Over the past year, Morphisec and several other endpoint protection companies have been tracking a resurgence in activity from the Cobalt Group. Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries

Read More