Summary
Researchers from SecureList from Kaspersky revealed new details regarding the Horns&Hooves cyber campaign, active since March 2023, which targeted over a thousand users and businesses in Russia (including retailers), using malicious JScript (JS) scripts disguised as legitimate email attachments.
These scripts deploy the legitimate remote administration tool, NetSupport, for malicious purposes, granting attackers remote access to infected systems. The campaign evolved through several iterations, refining its techniques to improve obfuscation and efficiency. Researchers from SecureList attribute the campaign to the TA569 group, which monetizes access to compromised systems by selling it to other cybercriminal groups online.
Community Impact
Retail and service-oriented businesses were among the primary victims of the Horns&Hooves cyber campaign, making these sectors particularly vulnerable to supply chain exploitation. Over the course of the campaign, the attackers changed some of their tactics and experimented with new tools. For instance, they gradually moved away from using additional servers to deliver the payload, demonstrating the sophistication of the threat group. RH-ISAC Members are advised to review the intelligence included in this report, the linked report above, and ingest the Indicators of Compromise included below.
Analysis
The Horns&Hooves campaign leverages malicious JScript scripts disguised as business-related email attachments, targeting over a thousand users and businesses, mainly in Russia. These scripts distribute the legitimate NetSupport Manager software, repurposed as a remote access trojan (RAT), to provide attackers with remote control of infected systems. The campaign evolved through multiple versions, enhancing obfuscation, integrating payloads into the scripts, and switching between RAT tools including BurnsRAT and NetSupport RAT. Researchers from SecureList attribute this activity to the TA569 group, which brokers access to compromised systems for other cybercriminals and organzations.
Key techniques include using believable email lures with additional attachments, unconventional decoy formats (e.g., PNG and TXT files), and leveraging legitimate tools to evade detection. The group’s reliance on software like RDP Wrapper expands the RAT’s capabilities, allowing greater system control. Connections between Horns&Hooves and TA569 were corroborated through shared license files and identical configuration parameters.
Indicators of Compromise
The following Indicators of Compromise were included by SecureList:
327a1f32572b4606ae19085769042e51 – HTA
34eb579dc89e1dc0507ad646a8dce8be – bat_install[.]bat
b3bde532cfbb95c567c069ca5f90652c – JS
29362dcdb6c57dde0c112e25c9706dcf – www[.]php
882f2de65605dd90ee17fb65a01fe2c7 – installet_bat_vbs.bat
5f4284115ab9641f1532bb64b650aad6 – JS
0fea857a35b972899e8f1f60ee58e450 – www[.]php
20014b80a139ed256621b9c0ac4d7076 – BLD[.]exe
7f0ee078c8902f12d6d9e300dabf6aed – 1.js
63647520b36144e31fb8ad7dd10e3d21 – JS
8096e00aa7877b863ef5a437f55c8277 – www[.]php
12ab1bc0989b32c55743df9b8c46af5a – 666.bat
50dc5faa02227c0aefa8b54c8e5b2b0d – 1.yay
e760a5ce807c756451072376f88760d7 – ngg_cl[.]zip
b03c67239e1e774077995bac331a8950 – 2023.07
ba69cc9f087411995c64ca0d96da7b69 – 2023.09
051552b4da740a3af5bd5643b1dc239a – 2024.02
hxxp://193[.]42[.]32[.]138/api/
hxxp://87[.]251[.]67[.]51/api/
hxxp://31[.]44[.]4[.]40/test/bat_install.bat
hxxps://golden-scalen[.]com/files/*
hxxp://188[.]227[.]58[.]243/pretencia/www.php
hxxp://188[.]227[.]58[.]243/zayavka/www.php
hxxp://188[.]227[.]58[.]243/pretencia/installet_bat_vbs.bat
hxxps://golden-scalen[.]com/files/*
hxxp://188[.]227[.]106[.]124/test/js/www[.]php
hxxp://188[.]227[.]106[.]124/test/js/BLD[.]exe
hxxp://188[.]227[.]106[.]124/test/js/1.js
hxxp://45[.]133[.]16[.]135/zayavka/www[.]php
hxxp://45[.]133[.]16[.]135/zayavka/666[.]bat
hxxp://45[.]133[.]16[.]135/zayavka/1[.]yay
hxxp://golden-scalen[.]com/ngg_cl[.]zip
edfb8d26fa34436f2e92d5be1cb5901b
3e86f6fc7ed037f3c9560cc59aa7aacc
ae4d6812f5638d95a82b3fa3d4f92861
67677c815070ca2e3ebd57a6adb58d2e
17a78f50e32679f228c43823faabedfd – DERTERT
b9956282a0fed076ed083892e498ac69 – DCVTTTUUEEW23
1b41e64c60ca9dfadeb063cd822ab089 – HANEYMANEY
xoomep1[.]com
xoomep2[.]com
labudanka1[.]com
labudanka2[.]com
gribidi1[.]com
gribidi2[.]com
shetrn1[.]com
shetrn2[.]com
