<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">
Posted by Arnold Osipov on May 13, 2019

 

Hworm/njRAT is a Remote Access Tool (RAT) that first appeared in 2013 in targeted attacks against the international energy industry, primarily in the Middle East. It was soon commoditized and is now part of a constantly evolving family of RATs that pop-up in various new formats. Today we see this attack employed on a regular basis as part of widespread spam phishing campaigns - if successful, Hworm gives the attacker complete control of the victim’s system. Morphisec Labs recently observed a new version with a minor modification to its obfuscation technique.

Technical Description:

The attack uses the kind of fileless VBScript injector, leveraging DynamicWrapperX, that has been seen used in the wild by RATs such as HWorm, DarkComet, KilerRAT and others. We observed a new obfuscation level, as the distribution of this RAT is still changing and running. We will describe the injector stage and how it used to load Hworm/Houdini RAT.

Stage 1

The payload is a VBS file, which, in some cases, comes obfuscated or encoded with couple of layers.

Figure 1: Obfuscated VBScript

The next stage VBS file contains 3 chunks of base64 streams:

DCOM_DATA:  Holds a PE file, which is DynamicWrapperX. It allows to call functions exported by DLL libraries, in particular Windows API functions, from JScript and VBScript.

LOADER_DATA: Holds RunPE shellcode.

FILE_DATA: Holds the shellcode that is injected to the host process. This will be discussed later.

As the script executes, it drops a copy of itself into %appdata%\Microsoft and gains persistence by editing the registry key:  ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run’.

  • The script checks whether the current environment is 64bit or not. If it is, it will execute the script with a 32-bit version of wscript.exe (from SysWOW64).
Figure 2 : Execute with 32-bit version of wsscript.exe
  • It determines the path for the host process that FILE_DATA will be injected into. There are two options – ‘wscript.exe’ or ‘msbuild.exe’. In our samples, the flag that decided which path to use was hardcoded (set to True), thus, always chose msbuild.exe.
Figure 3 choose host process
  • DCOM_DATA is decoded and dropped to %temp% directory under the name “HOUDINI.BIN” and registered with regsvr32.exe. It creates an object instance named “DynamicWrapperX” and registers two DLL functions: “CallWindowProcW” from “User32.dll” and “VirtualAlloc” from “Kernel32.dll”. It uses VirtualAlloc to allocate memory for the RunPE shellcode and FILE_DATA shellcode, then, invokes it using CallWindowProcW.
Figure 4 invoke injection procedure

Stage 2

The second stage is basically FILE_DATA which is injected to ‘msbuild.exe’ using LOADER_DATA (RunPE). FILE_DATA is base64 encoded – trying to decode and look at it does not yield information, as there is another layer of encoding.

Figure 5 FILE_DATA base64 decoded

LOADER_DATA (RunPE shellcode) is responsible for the second decoding routine.

Figure 6 After LOADER_DATA decoding

Eventually, we see FILE_DATA is a portable executable, written in Dot Net. Looking at the decompiled source code we can see Hworm (njRAT) configuration.

Figure 7
  • “svchost.exe” - Trojan exe.
  • “AppData” - Installation path.
  • “183d24d29354086f9c19c24368929a8c” - Mutex name.
  • “chroms.linkpc.net” - C2 address.
  • “11” - Port.
  • “boolLove” - Socket key.

Conclusion

Morphisec protects against Hworm and similar attacks. By applying Moving target defense technology, we deterministically prevent this attack without relation to signatures / patterns or obfuscation techniques. 

Artifacts

Domain C2s:

  • chroms[.]linkpc.net
  • salh[.]linkpc.net
  • finix5[.]hopto.org
  • finixalg11[.]ddns.net

VBScripts:

  • b936e702d77f9ca588f37e5683fdfdf54b4460f9
  • 329bb19737387d050663cce2361799f2885960b2
  • a5e1c1c72a47f400b3eb69c24c5d2c06cc2e4e0f
  • 27cf0b9748936212390c685c88fa4cf1233ca521
  • d5f352cba7be33b0993d5a59ff296fbd4b594a6e
  • 82eb7aeedc670405de56ea1fef984fe8294efcfd
  • d91f060037aaa59a0ad4622c9f3bc5e86e4eb4cd
New Call-to-action
Read More
Posted by Ronen Yehoshua on May 3, 2019

Enterprises migrating to or already on Windows 10 have the perfect opportunity to greatly improve their security profile and simplify operations at the same time – without incurring more costs. The key is fully leveraging the integrated Windows 10 security tools while adding innovative technology purpose built to provide a critical protection layer against advanced memory attacks, exploits, fileless attacks, zero-days and evasive malware. Those integrated security tools include Microsoft Defender antivirus and that disruptive technology is Morphisec’s Moving Target Defense.

Read More
Posted by Andrew Homer on April 23, 2019

When looking at cyber defense best practices and models, one driving question, which also keeps CISOs up at night, is this:

What's the best way to orchestrate security telemetry and processes so that SOC operators and security teams can prevent more threats and scale threat response as a formidable force multiplier against the onslaught of unknown attacks and exploits?

Read More
Posted by Morphisec Team on April 17, 2019

Americans Fear of an Imminent or Elevated Cyber Threat Against the Nation Drops to 51%; But 27% of Citizens Believe There Are Lingering Effects on Cyber Defenses from the Government Shutdown

Read More
Posted by Shelley Leveson on April 15, 2019

It seems that the only thing constant about cybersecurity (besides change) is our love of acronyms. We get it, time is too short for wasted words. But this can make it even more difficult to wade through the varied, often overlapping claims, of an already confusing space.

Read More
Posted by Shelley Leveson on April 11, 2019

If it’s April, it’s award season, and Morphisec just took home several official, plus some unofficial, awards. At the MIDMRKT CIO Forum, Morphisec won the top Vendor Excellence award for Best Software Solution. These awards recognize leading solution providers for their collaboration, strategic influence, and technical innovation across the midmarket.

Read More
Posted by Shelley Leveson on April 3, 2019

Despite HIPAA regulations designed to keep them informed on the security of their personal health data, patients still seem to be in the dark. That was just one of the findings of Morphisec's new 2019 Consumer Healthcare Cybersecurity Threat Index.

Read More
Posted by Michael Gorelik on March 28, 2019

Introduction

This week, Kaspersky Lab reported initial details of a new supply chain attack on systems by computer giant ASUS. Dubbed ShadowHammer by Kaspersky, the attack leveraged a malicious version of ASUS Live Update,

Read More
Posted by Morphisec Team on March 18, 2019

On April 8th, Morphisec's CTF (Capture The Flag) Competition will host 45 hand-picked finalists in Beer Sheva’s Gav Yam Negev Advanced Technologies Park.

Read More
Posted by Netta Schmeidler on March 15, 2019

On the heels of RSA 2019 and International Women’s Day, I am proud to announce Morphisec’s second annual Women in Cybersecurity Scholarship. This year’s scholarship program offers three awards totaling $8,000 aimed at encouraging women studying cybersecurity and related STEM disciplines

Read More