Horns&Hooves New Malware Campaign Targets Russian Businesses

In a concerning development for cybersecurity experts and Russian businesses alike, a sophisticated malware campaign dubbed "Horns&Hooves" has emerged, targeting private users, retailers, and service businesses primarily located in Russia. The campaign, which began around March 2023, has already affected more than a thousand victims and shows no signs of slowing down.

The Horns&Hooves campaign, named after a fictitious organization in the Soviet comedy novel "The Golden Calf," employs a clever social engineering tactic to infiltrate its targets. Attackers send emails with lookalike attachments in the form of ZIP archives containing malicious JScript files. These scripts are disguised as legitimate business documents, such as price requests, proposals, or bids from potential customers or partners.

Kaspersky, a leading cybersecurity firm, has been tracking the campaign and reports that the malicious scripts are designed to download and install two types of Remote Access Trojans (RATs): NetSupport RAT and BurnsRAT. These RATs give attackers unauthorized access to victims' systems, potentially leading to data theft, further system compromise, or even ransomware attacks.

The campaign's modus operandi involves sending emails with subject lines that appear to be routine business communications. For example, one common subject line translates to "Request for price and proposal from sole trader <name> for August 2024." The attached ZIP files contain scripts with names that match the email subject, further enhancing their appearance of legitimacy.

To add an extra layer of credibility, the attackers sometimes include genuine-looking documents in the archive, such as copies of passports, extracts from the Russian Unified State Register of Legal Entities, tax registration certificates, and company cards. This attention to detail makes it increasingly difficult for targets to distinguish between legitimate communications and malicious ones.

The Horns&Hooves campaign has evolved since its inception, with attackers making significant changes to their scripts while maintaining the same distribution method. Early versions of the campaign used scripts with the HTA extension, but more recent iterations have switched to JS scripts. This evolution demonstrates the attackers' ability to adapt and refine their techniques over time.

Cybersecurity researchers have drawn potential connections between the Horns&Hooves campaign and a known threat actor group called TA569 (also known as Mustard Tempest or Gold Prelude). This association is based on similarities in the license files used for the NetSupport RAT builds and near-identical configuration files. However, researchers caution that more evidence is needed to definitively attribute the campaign to TA569.

The campaign's focus on Russian targets is noteworthy, as it bucks the trend of many high-profile cyber attacks that originate from Russia and target Western institutions. This shift in focus highlights the global nature of cyber threats and serves as a reminder that no region is immune to such attacks.

For businesses and individuals in Russia, the Horns&Hooves campaign underscores the critical importance of maintaining robust cybersecurity practices. This includes being vigilant about email attachments, even those that appear to be from legitimate sources, and keeping all software and security systems up to date.

As the campaign continues to evolve, cybersecurity experts are working to develop better detection and prevention methods. However, the sophisticated nature of the attack, combined with its use of social engineering tactics, makes it a formidable threat that is likely to persist in the near future.

The Horns&Hooves campaign serves as a stark reminder of the ever-present and evolving nature of cyber threats in today's interconnected world. As attackers continue to refine their methods and expand their targets, businesses and individuals must remain vigilant and proactive in their approach to cybersecurity. The battle against malware and cyber attacks is ongoing, and staying informed about the latest threats is crucial for maintaining a strong defense against these digital adversaries.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: