Houdini's RAT Is No Disappearing Act

a-magician-1160153-639x1089

Most creators of Trojans or worms only known attribution to their creation is made by security researchers, and although, these individuals are not known in person, some of them are known and active in the cybercriminal scene. One of these “celebrity cyber criminals” is known by his alias Houdini, and according to Threatgeek.com is named 'Mohamed Benabdellah'. Houdini is believed to be based in  Algeria and connected to njq8” (aka ‘Naser Al Mutairi’) the developer of other RATs as "njRAT" and "njw0rm".

RATs by Houdini have been reported since 2013, and H-w0rm is the earliest reported by fireEye. H-w0rm is a tool in VBS  and has also an AUTOIT version. The VBS file in the relevant version, was found to be obfuscated with multiple levels of standard Base64 encoding (Safa Crypter). The H-w0rm has been known to act as a RAT; log keystrokes, record sound through the user’s microphone, capture photos through the webcam and run updates of the RAT on the infected node. The C&C communication of this RAT is done by using Dynamic DNS services and over HTTP protocol.

Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from “Houdini's RAT\H-w0rm” if they enable the TS Critical targets in their policies.

Share this: