From 3294091600af0e7700e983ebaa5001cdcc76d573 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 18 Mar 2019 16:24:55 +0100 Subject: [PATCH] add H-worm RAT --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 92bc2dc3..8c4d33d0 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3308,7 +3308,17 @@ }, "uuid": "428c8288-6f65-453f-bfa2-4b519d08f8e9", "value": "FlawedGrace" + }, + { + "description": "H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html" + ] + }, + "uuid": "1b6a067b-50b9-4aa7-a49b-823e94e210fe", + "value": "H-worm" } ], - "version": 24 + "version": 25 }