Wednesday, January 14, 2015

Indicators - Houdini RAT

Threat Name: Houdini

Variants or Other Possible Names: njRAT, Iniduoh.

This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.

Remote Host Connections:

The author is fascinated with and, so start your search with those domains. Below are several other domains used by the RAT:
  • (
  • (

HTTP URI Indicators:
  • /is-ready
HTTP Request Methods:
  • POST
User-agent String Values:

This is an easy catch. The below value is used as a separator in the user-agent string field:
  • <|>
Associated Snort Rule:
  • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,; classtype:trojan-activity; sid:28817; rev:3;)

Search in the user-agent string field.
  • <\|>

I was never able to find much information for this RAT and I hope it helps you out in your searches.

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.