SYMBOLCOMMON_NAMEaka. SYNONYMS
win.houdini (Back to overview)

Houdini

aka: Hworm, Jenxcus, Kognito, Njw0rm, WSHRAT, dinihou, dunihi

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

References
2023-01-24TrellixDaksh Kapur, Tomer Shloman, Robert Venal, John Fokker
@online{kapur:20230124:cyberattacks:0a05372, author = {Daksh Kapur and Tomer Shloman and Robert Venal and John Fokker}, title = {{Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity}}, date = {2023-01-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html}, language = {English}, urldate = {2023-01-25} } Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
Andromeda Formbook Houdini Remcos
2022-06-16SANS ISCXavier Mertens
@online{mertens:20220616:houdini:1d61640, author = {Xavier Mertens}, title = {{Houdini is Back Delivered Through a JavaScript Dropper}}, date = {2022-06-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/}, language = {English}, urldate = {2022-06-17} } Houdini is Back Delivered Through a JavaScript Dropper
Houdini
2022-02-15Threat PostElizabeth Montalbano
@online{montalbano:20220215:ta2541:7e201a7, author = {Elizabeth Montalbano}, title = {{TA2541: APT Has Been Shooting RATs at Aviation for Years}}, date = {2022-02-15}, organization = {Threat Post}, url = {https://threatpost.com/ta2541-apt-rats-aviation/178422/}, language = {English}, urldate = {2022-02-17} } TA2541: APT Has Been Shooting RATs at Aviation for Years
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-15BleepingComputerIonut Ilascu
@online{ilascu:20220215:unskilled:1bf1eb3, author = {Ionut Ilascu}, title = {{Unskilled hacker linked to years of attacks on aviation, transport sectors}}, date = {2022-02-15}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/}, language = {English}, urldate = {2022-02-17} } Unskilled hacker linked to years of attacks on aviation, transport sectors
AsyncRAT Houdini NetWire RC Parallax RAT
2021-11-23HPPatrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-11-04Deep instinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20211104:understanding:c22abf4, author = {Shaul Vilkomir-Preisman}, title = {{Understanding the Windows JavaScript Threat Landscape}}, date = {2021-11-04}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape}, language = {English}, urldate = {2021-11-19} } Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm FIN7
2021-09-16CiscoTiago Pereira, Vitor Ventura
@online{pereira:20210916:operation:133992d, author = {Tiago Pereira and Vitor Ventura}, title = {{Operation Layover: How we tracked an attack on the aviation industry to five years of compromise}}, date = {2021-09-16}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html}, language = {English}, urldate = {2021-09-19} } Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
AsyncRAT Houdini NjRAT
2021-07-13YouTube (John Hammond)John Hammond
@online{hammond:20210713:jscript:ba194e0, author = {John Hammond}, title = {{JScript Deobfuscation - More WSHRAT (Malware Analysis)}}, date = {2021-07-13}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=XDAiS6KBDOs}, language = {English}, urldate = {2021-07-26} } JScript Deobfuscation - More WSHRAT (Malware Analysis)
Houdini
2021-05-14MorphisecArnold Osipov
@online{osipov:20210514:ahk:2da8d24, author = {Arnold Osipov}, title = {{AHK RAT Loader Used in Unique Delivery Campaigns}}, date = {2021-05-14}, organization = {Morphisec}, url = {https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns}, language = {English}, urldate = {2021-05-17} } AHK RAT Loader Used in Unique Delivery Campaigns
AsyncRAT Houdini Revenge RAT
2021-04-21FacebookMike Dvilyanski, David Agranovich
@online{dvilyanski:20210421:taking:23e0fb2, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Palestine}}, date = {2021-04-21}, organization = {Facebook}, url = {https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/}, language = {English}, urldate = {2021-04-28} } Taking Action Against Hackers in Palestine
SpyNote Houdini NjRAT
2021-04-06Cado Securitycadolabs
@online{cadolabs:20210406:threat:aba341a, author = {cadolabs}, title = {{Threat Group Uses Voice Changing Software in Espionage Attempt}}, date = {2021-04-06}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt}, language = {English}, urldate = {2021-04-06} } Threat Group Uses Voice Changing Software in Espionage Attempt
Houdini
2021-03-16YoroiLuigi Martire, Luca Mella
@online{martire:20210316:threatening:9158d9b, author = {Luigi Martire and Luca Mella}, title = {{Threatening within Budget: How WSH-RAT is abused by Cyber-Crooks}}, date = {2021-03-16}, organization = {Yoroi}, url = {https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/}, language = {English}, urldate = {2021-06-16} } Threatening within Budget: How WSH-RAT is abused by Cyber-Crooks
Houdini
2020-10-26360 Core Security360
@online{360:20201026:aptc44:a336bf6, author = {360}, title = {{北非狐(APT-C-44)攻击活动揭露}}, date = {2020-10-26}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-44.html}, language = {Chinese}, urldate = {2020-11-09} } 北非狐(APT-C-44)攻击活动揭露
Xtreme RAT Houdini NjRAT Revenge RAT
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-01-15AT&T CybersecurityFernando Martinez
@online{martinez:20200115:alien:a57585f, author = {Fernando Martinez}, title = {{Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37}}, date = {2020-01-15}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37}, language = {English}, urldate = {2020-01-22} } Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37
Houdini
2019-12-23YouTubeKindred Security
@online{security:20191223:video:c52156f, author = {Kindred Security}, title = {{Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)}}, date = {2019-12-23}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=h3KLKCdMUUY}, language = {English}, urldate = {2020-01-08} } Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)
Houdini
2019-11-11Binary DefenseBinary Defense
@online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } Revenge Is A Dish Best Served… Obfuscated?
Houdini Revenge RAT
2019-09-14Github (jeFF0Falltrades)Jeff Archer
@online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } WSH RAT (A variant of H-Worm/Houdini)
Houdini
2019-06-25MyOnlineSecurityMyOnlineSecurity
@online{myonlinesecurity:20190625:more:a611b77, author = {MyOnlineSecurity}, title = {{More AgentTesla keylogger and Nanocore RAT in one bundle}}, date = {2019-06-25}, organization = {MyOnlineSecurity}, url = {https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/}, language = {English}, urldate = {2019-11-27} } More AgentTesla keylogger and Nanocore RAT in one bundle
Houdini
2019-06-14CofenseNick Guarino, Aaron Riley
@online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } Houdini Worm Transformed in New Phishing Attack
Houdini
2019-05-13MorphisecArnold Osipov
@online{osipov:20190513:look:7526002, author = {Arnold Osipov}, title = {{A Look At Hworm / Houdini aka Njrat}}, date = {2019-05-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/hworm-houdini-aka-njrat}, language = {English}, urldate = {2020-01-05} } A Look At Hworm / Houdini aka Njrat
Houdini
2019-04-02Lab52Lab52
@online{lab52:20190402:wirte:24a604b, author = {Lab52}, title = {{WIRTE Group attacking the Middle East}}, date = {2019-04-02}, organization = {Lab52}, url = {https://lab52.io/blog/wirte-group-attacking-the-middle-east/}, language = {English}, urldate = {2023-11-17} } WIRTE Group attacking the Middle East
Empire Downloader Houdini
2019-03-25360 Core Securityzhanghao-ms
@online{zhanghaoms:20190325:patting:92fda17, author = {zhanghao-ms}, title = {{Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization}}, date = {2019-03-25}, organization = {360 Core Security}, url = {http://blogs.360.cn/post/analysis-of-apt-c-37.html}, language = {Chinese}, urldate = {2020-01-08} } Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization
Houdini NjRAT
2016-10-26UnknownChris Doman
@online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } Moonlight – Targeted attacks in the Middle East
Houdini NjRAT Molerats
2016-10-25Palo Alto Networks Unit 42Anthony Kasza
@online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } Houdini’s Magic Reappearance
Houdini
2013-09-24FireEyeThoufique Haq, Ned Moran
@online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } Now You See Me - H-worm by Houdini
Houdini
Yara Rules
[TLP:WHITE] win_houdini_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_houdini_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45bc e8???????? 50 8d45b8 8b5508 b900000000 }
            // n = 6, score = 100
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   b900000000           | mov                 ecx, 0

        $sequence_1 = { 8bfa 8bd8 8b4604 50 8b0e 8bd7 8bc3 }
            // n = 7, score = 100
            //   8bfa                 | mov                 edi, edx
            //   8bd8                 | mov                 ebx, eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   50                   | push                eax
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8bd7                 | mov                 edx, edi
            //   8bc3                 | mov                 eax, ebx

        $sequence_2 = { f6d8 1bc0 c3 83780403 0f94c0 f6d8 1bc0 }
            // n = 7, score = 100
            //   f6d8                 | neg                 al
            //   1bc0                 | sbb                 eax, eax
            //   c3                   | ret                 
            //   83780403             | cmp                 dword ptr [eax + 4], 3
            //   0f94c0               | sete                al
            //   f6d8                 | neg                 al
            //   1bc0                 | sbb                 eax, eax

        $sequence_3 = { 51 8bd8 33f6 54 8b4304 50 e8???????? }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8bd8                 | mov                 ebx, eax
            //   33f6                 | xor                 esi, esi
            //   54                   | push                esp
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 5b c3 8d4604 50 8b4304 50 }
            // n = 6, score = 100
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8d4604               | lea                 eax, [esi + 4]
            //   50                   | push                eax
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax

        $sequence_5 = { 00745b5b 00745b5b 007c5b5b 007c5b5b 00845b5b00845b 5b 008c5b5b008c5b }
            // n = 7, score = 100
            //   00745b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], dh
            //   00745b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], dh
            //   007c5b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], bh
            //   007c5b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], bh
            //   00845b5b00845b       | add                 byte ptr [ebx + ebx*2 + 0x5b84005b], al
            //   5b                   | pop                 ebx
            //   008c5b5b008c5b       | add                 byte ptr [ebx + ebx*2 + 0x5b8c005b], cl

        $sequence_6 = { 896b08 85ed 750e ba03000000 8bc7 e8???????? eb44 }
            // n = 7, score = 100
            //   896b08               | mov                 dword ptr [ebx + 8], ebp
            //   85ed                 | test                ebp, ebp
            //   750e                 | jne                 0x10
            //   ba03000000           | mov                 edx, 3
            //   8bc7                 | mov                 eax, edi
            //   e8????????           |                     
            //   eb44                 | jmp                 0x46

        $sequence_7 = { 8bf2 8bd8 54 56 8b4304 50 e8???????? }
            // n = 7, score = 100
            //   8bf2                 | mov                 esi, edx
            //   8bd8                 | mov                 ebx, eax
            //   54                   | push                esp
            //   56                   | push                esi
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 83780403 0f93c0 f6d8 1bc0 c3 83780404 }
            // n = 6, score = 100
            //   83780403             | cmp                 dword ptr [eax + 4], 3
            //   0f93c0               | setae               al
            //   f6d8                 | neg                 al
            //   1bc0                 | sbb                 eax, eax
            //   c3                   | ret                 
            //   83780404             | cmp                 dword ptr [eax + 4], 4

        $sequence_9 = { 8b45fc b901000000 8b55f8 e8???????? ff4df8 837df800 75b6 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b901000000           | mov                 ecx, 1
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   ff4df8               | dec                 dword ptr [ebp - 8]
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   75b6                 | jne                 0xffffffb8

    condition:
        7 of them and filesize < 6307840
}
Download all Yara Rules