A sophisticated malware campaign, dubbed Horns&Hooves, is targeting private users, retailers, and service businesses in Russia. This attack delivers Remote Access Trojans (RATs), including NetSupport RAT and BurnsRAT, using fake email attachments and malicious JavaScript payloads.
Since its discovery in March 2023, the campaign has impacted over 1,000 victims. Cybercriminals exploit these RATs to gain unauthorized access, eventually installing data-stealing malware like Rhadamanthys and Meduza. Fake emails disguised as customer or partner inquiries contain ZIP files loaded with harmful JavaScript scripts.
The attackers continuously refine their methods. For example, early campaign samples featured HTML Application (HTA) files. These files downloaded decoy images and additional scripts from remote servers to execute malware installation chains. Later variants included JavaScript mimicking legitimate libraries like Next.js to deploy the malware.
Some iterations of the attack included NSIS installers embedded within JavaScript to deploy BurnsRAT. The malware supports functions like downloading files, executing commands, and activating the Remote Manipulator System (RMS). RMS enables remote desktop control, file transfers, and command execution across networks.
Security reports suggest a connection between this campaign and a threat actor known as TA569 (also called Gold Prelude or Mustard Tempest). TA569 is infamous for operating FakeUpdates malware and brokering initial access for ransomware attacks like WastedLocker. This raises concerns about the potential for data theft, ransomware deployment, and system disruptions in victim organizations.
Organizations can defend against Horns&Hooves by implementing email filtering tools and training employees to identify phishing attempts. Avoid opening suspicious email attachments, even if they appear legitimate. Use robust antivirus software and keep systems updated to close security vulnerabilities. Additionally, consider monitoring unusual network activity to detect and block malicious payloads early.