LTS Secure Warning: Obfuscation Techniques Aid H-worm RAT To Evade Detection

Researchers have identified a new version of the notorious H-worm RAT, which is now making use of obfuscation techniques to avoid being detected by antivirus software.

Technical Details

The new version of the RAT, utilizes the fileless VBScript injectors that takes advantage of the DynamicWrapperX component.

Infection Process:

• Mails containing malicious links are being sent to users.
• Once the user clicks on the link inside the mail, they are redirected to a malicious website, from where a zipped visual basic script (VBS) is downloaded on the victim device.
• Once the file is executed by the user, the RAT gets installed on the devices and initiates its malicious activities.

Impact

• Capture screenshots.
• It captures real time as well as offline keystrokes.
• It will steal your credentials / confidential data and sends to the remote attacker.
• It is capable of fetching live feed of webcam and microphone of the victim.
• Propagates via storage devices like USB to increase its impact radius.
• Updating & uninstalling itself at will.

Recommended Actions

• Always update your anti-virus software with the latest releases.
• Ensure that your devices are always up-to-date with the latest patches released.
• Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a malspam.
• Periodically run “full system scan” on your endpoints.