Lately, instances of malware with built-in worm functionality have been on the rise. The WannaCry cyberattack is a perfect example. Although the malware was classified as ransomware, to increase the number of infections, the attackers used an SMB exploit to propagate it laterally within enterprises.
The Menlo Security Research Team recently observed and characterized another self-propagating malware strain, named Houdini, as it made nearly 800 call-backs to two separate command-and-control (C2) domains. In addition to its C2 functionality, the Houdini remote access trojan (RAT) possesses the ability to move laterally, leveraging removable drives.
Although Houdini and WannaCry are both malware with worm-like functionality, Houdini does not possess a native ransomware component. However, Houdini is a RAT and has the ability to download and execute additional components from the C2, and those components could be ransomware or any other malware.
To learn more about the Houdini infection vector and Menlo Security’s technical analysis - including file system changes, registry changes, domains, URI patterns, and C2 IPs - please download our Research Report.
It’s time to lift the veil of illusion and to expose Houdini once and for all.