A long-running campaign, Horns&Hooves, delivers NetSupport RAT to targets primarily in Russia by disguising ZIP archives with JScript or HTA scripts as legitimate client inquiries. The operation shows ties to the TA569 group and demonstrates how legitimate remote-support software can be abused for remote access and data theft.
#HornsHooves #NetSupport_RAT #TA569 #BurnsRAT #RMS
#HornsHooves #NetSupport_RAT #TA569 #BurnsRAT #RMS
Keypoints
- Campaign Horns&Hooves began around March 2023 and affected over a thousand private users, trading companies, and service providers primarily in Russia.
- Malicious scripts are disguised as requests and invoices, often named to resemble price inquiries or purchase orders.
- Attackers evolved their scripts over time, changing the payload delivery while keeping the same distribution method.
- Early versions used HTA scripts; later versions transitioned to JScript scripts.
- Payloads include NetSupport RAT, a legitimate remote-management tool repurposed for malicious use.
- Attackers employed various bait formats, including PNG images and TXT documents, to conceal the payload.
- Indicators point to a possible TA569 link, based on configuration files and license usage patterns.
- NetSupport RAT provides attackers with remote access, enabling potential data theft or system damage.
MITRE Techniques
- [T1219] Remote Access Tools – NetSupport RAT is used for remote access and control of infected systems. “NetSupport RAT is used for remote access and control of infected systems.”
- [T1203] User Execution – Malicious scripts are executed by users who open the ZIP files and run the scripts. “Malicious scripts are executed by users who open the ZIP files and run the scripts.”
- [T1071] Command and Control – NetSupport RAT connects to attacker-controlled servers for command and control. “NetSupport RAT connects to attacker-controlled servers for command and control.”
- [T1027] Obfuscated Files or Information – Malicious scripts are obfuscated to hide their true intent and evade detection. “Malicious scripts are obfuscated to hide their true intent and evade detection.”
Indicators of Compromise
- [Domain] Domains used by the campaign – xoomep1.com, xoomep2.com, labudanka1.com, labudanka2.com, gribidi1.com, gribidi2.com, and 2 more TA569 domains
- [IP] IP addresses involved in command and control or hosting – 193.42.32.138, 87.251.67.51
- [MD5 Hash] Hashes of malicious payloads – 327a1f32572b4606ae19085769042e51, b3bde532cfbb95c567c069ca5f90652c, and more hashes
- [File name] Droppers/loaders and payload names – client32.exe, BLD.exe, 1.js, and 8 more file names
- [License File] License keys used in NetSupport RAT builds – licensee=HANEYMANEY, licensee=DCVTTTUUEEW23, licensee=DERTERT
Read more: https://securelist.ru/horns-n-hooves-campaign-delivering-netsupport-rat/110772/