In a newly uncovered cybersecurity threat, a malware campaign named "Horns&Hooves" has been identified, targeting Russian retailers and service businesses since March 2023. The campaign, led by the cybercriminal group TA569, also known as Mustard Tempest and Gold Prelude, employs phishing emails to compromise victim systems by deploying remote access tools and information-stealing malware.
Tactics and Techniques
TA569 utilizes a range of deceptive tactics to trick recipients into opening malicious emails. These emails are cleverly designed to mimic legitimate business communications, such as requests for quotes or proposals. They often contain malicious JavaScript or HTA scripts that are embedded within zip archive attachments. Unsuspecting targets who open these attachments unwittingly trigger the download and execution of harmful payloads.
Malicious Payloads
Once the malicious scripts are executed, a range of remote access tools are installed on the target system. Notably, tools like NetSupport Manager, often weaponized as NetSupport RAT, and BurnsRAT are deployed. These tools provide the attackers with extensive control over the infected systems, enabling them to manage the machine remotely, execute commands, and manipulate files at will.
Objectives of the Attacks
The primary aim of these cyber attacks is to use the remote access capabilities to deploy additional malware, primarily information stealers. Rhadamanthys and Meduza are among the most commonly installed malware, designed to harvest sensitive data from the compromised systems. This stolen information can then be used for further criminal activities or sold on the dark web.
Evolution of Techniques
Over time, the "Horns&Hooves" campaign has shown a significant evolution in its techniques, shifting from the use of HTA scripts to download decoy documents and malware, to incorporating JavaScript files and intermediary scripts. These scripts ensure the automated download of additional components, such as malicious BAT scripts and decoy documents, making the attacks more covert and harder to detect.
Persistence and Concealment
To maintain persistence and avoid detection, the downloaded payloads are cleverly stored in less conspicuous directories, such as %APPDATA%VCRuntimeSync. Additionally, autorun registry entries are created to ensure the malware is executed every time the system restarts. The delivery of BurnsRAT via a DLL side-loading technique further enhances the attackers’ capabilities, allowing remote desktop connections, command execution, and file transfers.
Data Encryption and Exfiltration
Once the phishing emails successfully compromise the targeted systems, the remote access tools allow the attackers to take control of the victim’s computer, gaining unauthorized access to sensitive information. The information-stealing malware then further compromises security by extracting valuable data, such as financial details and personal information.
This campaign represents a significant threat to the cybersecurity landscape, especially for businesses in the retail and service sectors in Russia. It highlights the ongoing need for heightened security measures and cybersecurity awareness to protect against such sophisticated attacks. Businesses are urged to remain vigilant and adopt strong security protocols to safeguard their systems.