Houdini and jRat Trojans found double teaming in the wild

The Sonicwall Capture Labs Research team has come across a spam campaign distributing not just one but two Remote Access Trojans (RATs). Both RATs have historically been seen propagated through spam independently as an email attachment in a variety of forms such as benign looking shipment notification, payment notice, receipts, invoices, statements or quotations. This time, the propagation method was not any different.

Infection cycle:

The main installer file comes as an email attachment in a Java archive file format (JAR). Once executed,it will drop two remote access Trojans – Houdini and jRat. During our analysis it created the following files in the %APPDATA% and %USERS% directories.

• %APPDATA% /microsoftkey.jar [Detected as GAV: jRat.A_3 (Trojan)]
• %APPDATA% /ntfsmgr.jar [Detected as GAV: jRat.A_2 (Trojan)]
• %APPDATA% /fifpdvUqdn.vbs [Detected as GAV: Houdini.VBS (Trojan)]
• %USERS% /nixfeknwve.vbs [Detected as GAV: Houdini.VBS (Trojan)]

The two Trojans are then executed simultaneously using javaw.exe and wscript.exe. The following registry keys were also added to ensure persistence for both Trojans and will allow them to run after each reboot:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run fifpdvUqdn  exe //B “%APPDATA%\fifpdvUqdn.vbs”
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgr “C:\Program Files\Java\jre7\bin\javaw.exe” -jar “%APPDATA%\ntfsmgr.jar”

The jRAT components are easily identified by directory names – “blaz42” and “qt314” which contains class files.

In our example ntfsmgr.jar is the main file which then drops the secondary jar file – microsoftkey.jar. They contain several classes that are platform-specific implementations of the malware capabilities with the screenshot below showing supported platforms.

And below is a list of its functionalities which include playing sound/audio, sending files to remote servers, examining the victim’s network configurations, running arbitrary commands, image capturing, stealing passwords, etc.

While Houdini is a base64-encoded VB script that when decoded reveals the name “Houdini” within its code.

Upon execution it connects to a remote server goz.unknowncrypter.com.

Some of the sub function names within the script gives us a picture of this Trojan’s capabilities:

• Information – operating system information gathering, get volume serial number
• Site-send – send data to remote server
• Cmd – execute commands using cmd.exe
• Enumprocess – list all running processes
• Uninstall – delete registry keys and delete files
• Security – get OS version and security center info
• Fileurl/filedir – http download and save file
• Upload – send post data using http
• set objwmiservice

SonicWall Capture Labs provide protection against this threat via the following signatures:

• GAV: jRat.A_2 (Trojan)
• GAV: jRat.A_3 (Trojan)
• GAV: Houdini.VBS(Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.