Skip to main content
Home WSHRAT

WSHRAT

Also known as: Houdini, Hworm, Jenxcus, Kognito, Njw0rm, Dinihou, Dunihi, Autorun

Category: Malware

Type: Remote access trojan (RAT)

Platform: Windows

Variants: WSHRAT has several variants that are used for different purposes.

Damage potential: Data theft (such as passwords), remote device access and control, additional malware installation, surveillance, keylogging, financial loss, data exfiltration, and system disruption.

Overview

WSHRAT is a type of remote access trojan (RAT) that allows cybercriminals to remotely control and manipulate infected Windows systems. First identified in 2013 under the name H-worm, it was originally written in visual basic script (VBS) programming language.

WSHRAT quickly gained notoriety for its extensive capabilities, which include stealing system information, manipulating processes, modifying and deleting files, logging keystrokes, and even accessing the webcam. Initially deployed in targeted attacks against the global energy sector, it later became more widely available, leading to broader, less coordinated cyberattacks.

In 2019, WSHRAT saw a major update, with the new version being completely rewritten in JavaScript. Despite the change in programming language, this iteration retained many of the characteristics of the original VBS version, such as its command-and-control (C2) server structure and behavior patterns.

Possible symptoms

Possible symptoms of a WSHRAT infection include:

  • Slow system performance.
  • Unusual network traffic (such as data transmissions to unknown command and control servers).
  • Unexpected prompts asking for permissions or admin access.
  • Frequent browser redirects to unfamiliar websites.
  • You notice apps that you did not install yourself.
  • Changes in settings (this may involve disabled security features or unauthorized permissions for apps).
  • Changes in system behavior, like programs opening or closing on their own.
  • Unexplained outgoing emails or messages.
  • Sudden device or app crashes.

Sources of infection

WSHRAT can spread in many ways, often through social engineering tactics that trick users into downloading and installing the malware on their Windows devices.

  • Phishing links. If you have clicked on a malicious link or malvertising or opened an unsafe attachment, you may unknowingly download WSHRAT. This risk also applies to phishing emails, SMS messages, or messaging apps.
  • Drive-by downloads. Users may accidentally download WSHRAT when they visit a compromised website.
  • Exploiting cybersecurity vulnerabilities. WSHRAT may infect a device by exploiting security vulnerabilities in the Windows operating system or in browsers.
  • Fake updates. WSHRAT can disguise itself as a legitimate update for your software or browser.
  • Compromised software. You may unknowingly download WSHRAT by installing software from untrusted sources that contain the malware.
  • Infected documents. WSHRAT can be embedded in scripts within ZIP files or other document formats.
  • Removable drives. WSHRAT can spread through removable drives via autorun files.

Protection

To protect your device, always accept update notifications from your antivirus software or any malware protection app on your device. Additionally, consider these measures to safeguard your device and personal information even further:

  • Regularly update your software. WSHRAT is known to target security vulnerabilities. Keep your software updated to protect your devices from the latest cybersecurity threats.
  • Download updates and software from trusted sources. Only use official and reliable sources for downloads.
  • Enable multi-factor authentication (MFA). While multi-factor authentication itself can’t prevent a WSHRAT infection, it can help protect your accounts even if WSHRAT steals your passwords.
  • Be wary of phishing emails. WSHRAT can spread via phishing and spam emails. If you get an email that sounds off or urges you to click on a link, act with caution.
  • Stay alert while browsing. Hackers may use malicious ads or create fake websites that look legitimate to spread WSHRAT and other trojans. Pay close attention to the websites you visit, and be cautious about the links you click on.
  • Use NordVPN’s Threat Protection Pro. Tools like NordVPN’s Threat Protection Pro can block access to known malicious sites, adding an additional layer of protection while browsing online.

WSHRAT Removal

Removing WSHRAT from a Windows device can be challenging, but it’s entirely manageable. First, reboot your Windows device into safe mode to prevent the malware from starting up automatically.

Next, disconnect your device from the internet to prevent the malware from communicating with its C&C servers. Then, use reputable antivirus or anti-malware software to run a full system scan. Follow the steps provided by the software to quarantine and remove the malware.

If your antivirus software cannot fully remove WSHRAT, you may need to manually delete its files and registry entries. This process is risky because incorrectly deleting system files or registry entries can cause serious issues. We recommend that only users with advanced technical knowledge try this.

If you’re unsure or uncomfortable with the process, seek professional assistance. Additionally, keep your operating system, software, and drivers up to date with the latest patches to close any vulnerabilities that WSHRAT might exploit.

If the malware persists, consider performing a factory reset on your Windows device. However, before you do this, back up any important data — such as photos and documents — to ensure you don’t lose anything valuable.

WSHRAT removal on Windows can be complicated, so if you’re unsure what to do next or the malware persists, seek help from an experienced IT professional or cybersecurity expert.