Summary:
Recent months have witnessed a significant increase in malicious email campaigns utilizing lookalike attachments, particularly ZIP files containing JScript scripts. These scripts, often disguised as legitimate requests for proposals, have targeted numerous users and businesses, primarily in Russia. The campaign, dubbed Horns&Hooves, has evolved over time, employing various methods to deliver the NetSupport RAT, a tool commonly exploited by cybercriminals. The attackers have shown adaptability in their tactics, leading to concerns about the potential for data theft and system compromise.
#HornsAndHooves #NetSupportRAT #EmailScams
Recent months have witnessed a significant increase in malicious email campaigns utilizing lookalike attachments, particularly ZIP files containing JScript scripts. These scripts, often disguised as legitimate requests for proposals, have targeted numerous users and businesses, primarily in Russia. The campaign, dubbed Horns&Hooves, has evolved over time, employing various methods to deliver the NetSupport RAT, a tool commonly exploited by cybercriminals. The attackers have shown adaptability in their tactics, leading to concerns about the potential for data theft and system compromise.
#HornsAndHooves #NetSupportRAT #EmailScams
Keypoints:
Surge in malicious emails with ZIP attachments containing JScript scripts.
Campaign named Horns&Hooves primarily targets users in Russia.
Attackers disguise scripts as legitimate business requests.
NetSupport RAT is the primary payload used in the attacks.
Attackers have adapted their tactics over time, experimenting with new tools.
Potential for data theft and system compromise is significant.
License files used in the campaign link it to the TA569 group.
Various versions of the malicious scripts have been identified, each with unique characteristics.
MITRE Techniques
Execution (T1203): Malicious scripts executed via email attachments.
Persistence (T1547): Modifying startup items to maintain access.
Command and Control (T1071): Establishing communication with compromised systems using NetSupport RAT.
Credential Access (T1003): Potentially collecting sensitive information from infected systems.
Exfiltration (T1041): Sending data back to the attackers’ servers.
IoC:
[File Name] Заявка на закупку…
[File Name] Запрос цен…
[File Name] досудебная претензия от 18.05.2023 №5 от компании ооо <НАЗВАНИЕ_КОМПАНИИ>.js
[File Name] заявка на закупки №113 от компании <НАЗВАНИЕ_КОМПАНИИ> на май 2023 года.js
[File Name] purchase request from LLC No. 3.js
[File Hash] 327a1f32572b4606ae19085769042e51
[File Hash] b3bde532cfbb95c567c069ca5f90652c
[File Hash] 5f4284115ab9641f1532bb64b650aad6
[File Hash] 63647520b36144e31fb8ad7dd10e3d21
[File Hash] b03c67239e1e774077995bac331a8950
[File Hash] ba69cc9f087411995c64ca0d96da7b69
[File Hash] 051552b4da740a3af5bd5643b1dc239a
[IP Address] 193.42.32.138
[IP Address] 188.227.58.243
[IP Address] 45.133.16.135
[Domain] xoomep1[.]com
[Domain] xoomep2[.]com
[Domain] golden-scalen[.]com
[Domain] 87[.]251[.]67[.]51
[Domain] 31[.]44[.]4[.]40
[Domain] 188[.]227[.]106[.]124
[Domain] 45[.]133[.]16[.]135
[Domain] labudanka1[.]com
[Domain] labudanka2[.]com
[Domain] gribidi1[.]com
[Domain] gribidi2[.]com
[Domain] shetrn1[.]com
[Domain] shetrn2[.]com
Full Research: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/