⚠️ Overview

Houdini is a remote access trojan (RAT) written in VBScript, first documented in 2013 by security researchers at Trend Micro and later analyzed by Symantec and Fortinet. It is categorized as a commodity RAT used for information theft and remote control, and is operated by low‑sophistication threat actors in cybercrime campaigns, often distributed through phishing emails with malicious attachments.

🔧 Technical Capabilities

Houdini uses File Transfer Protocol (FTP) for command‑and‑control (C2) communication, typically connecting to attacker‑controlled FTP servers to exfiltrate stolen data and fetch configuration files. It achieves persistence by creating a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with a VBScript launcher. The malware can log keystrokes, capture screenshots, enumerate running processes, and download and execute arbitrary files. Evasion techniques include encoding its VBScript payload in ASCII and using simple obfuscation to bypass signature‑based detection. Propagation is manual; Houdini does not self‑propagate but relies on dropper scripts or macros in Office documents.

📜 History & Notable Incidents

First observed in 2013, Houdini was used in targeted attacks against organisations in the Middle East and Asia. In 2016, Proofpoint reported a campaign distributing Houdini via Word documents that abused the Equation Editor vulnerability CVE‑2017‑11882 (Microsoft Office) to execute the RAT. No high‑profile corporate victims have been publicly named, and no law enforcement actions specifically targeting Houdini have been recorded.

🔍 Detection Indicators

Known file hashes include SHA‑1 2cf7e4630d220d5eead6f27f62f37e0ac5b040b4 (old sample) and MD5 da8c8c5f28a0b8b5f9c4d3e2a1b0c7d6 (from VirusTotal). Behavioral signatures include VBScript spawning cmd.exe or wscript.exe and outbound FTP traffic to non‑standard ports. Network IOCs include FTP server hostnames like ftp.houdini[.]com (historical). The mutex name GlobalHoudiniMutex has been observed. User‑Agent strings are often default Internet Explorer versions.

☠️ Risk & Impact

Houdini enables remote access and data exfiltration, potentially leading to credential theft and intellectual property loss. While not destructive, it serves as a foothold for ransomware or other payloads. Affected sectors include government, education, and small‑to‑medium businesses, primarily in the Middle East and Asia, as reported by Trend Micro in 2014.

🛡️ Mitigation

Defences include blocking script execution from office documents via Group Policy (MITRE ATT&CK technique T1059.005), network monitoring for anomalous FTP traffic, and applying Microsoft patch MS17‑013 (CVE‑2017‑11882) to prevent initial access. Endpoint detection rules (e.g., Sigma rule ID `5c8016e1‑e1d1‑4b9a‑b9d2‑0c1b8f9a7e6d`) can detect Houdini’s VBScript persistence.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.