Analysis Summary

NetSupport RAT and BurnsRAT are being distributed by a recently identified malware operation that primarily targets Russian private users, retailers, and service providers.

Researchers called the campaign Horns&Hooves, and since it started in March 2023, it has affected over 1,000 people. The ultimate objective of these attacks is to install stealer malware, like Rhadamanthys and Meduza, by taking advantage of the access that these trojans provide. Mails with mimic email attachments in the form of ZIP files containing JScript scripts have become more common in recent months. The script files are presented as bids and inquiries from possible partners or clients.

The operations' threat actors have shown that they actively develop the JavaScript payload, making notable modifications during the campaign. In certain cases, it has been discovered that the ZIP archive includes additional documents pertaining to the company or person being impersonated in order to boost the phishing attack's chances of success and trick the target into opening the malicious file.

One of the first examples of the campaign was an HTML Application (HTA) file that, when executed, uses the curl tool for Windows to download a fake PNG image from a distant server. It also uses the BITSAdmin command-line tool to covertly retrieve and execute another script ("bat_install.bat") from a separate server. The recently downloaded script then uses BITSAdmin to retrieve a number of additional files, including the NetSupport RAT malware, which connects to a command-and-control (C2) server that the attackers have set up.

A later version of the campaign, seen in mid-May 2023, used intermediate JavaScript to activate the NetSupport RAT infection chain by imitating trustworthy JavaScript libraries such as Next.js. Another version of the JavaScript file that dropped an NSIS installer, which is then in charge of spreading BurnsRAT on the vulnerable host, was also discovered. The primary function of this component is to launch the Remote Manipulator System (RMS) as a service and transmit the RMS session ID to the attackers' server, even though the backdoor also supports commands for remotely downloading and running files and other ways to run commands via the Windows command line.

RMS is a program that enables network-based user interaction with distant systems. It enables desktop management, command execution, file transfers, and data interchange between devices in various geographical locations. Two other attack sequences discovered in late May and June 2023 included a fully redesigned BAT file for installing NetSupport RAT and integrated the malware directly into the JavaScript code, respectively, indicating that the threat actors were still adjusting their methods of operation.

A threat actor identified as TA569 (also known as Gold Prelude, Mustard Tempest, and Purple Vallhund) is suspected of running the SocGholish (also known as FakeUpdates) malware and is responsible for the campaign. The reason for this relationship is that the NetSupport RAT licensing and configuration files used in the various operations overlap. Notably, TA569 has also been observed to serve as an initial access broker for subsequent ransomware attacks, like WastedLocker.

Impact

• Unauthorized Access
• Information Theft
• Command Execution

Indicators of Compromise

SHA1

• 6e26e7ec76c94aea95e4a07bcc256a15b85d9514
• 27fe39b6b053685d4c781a7fa809840ebaab15d7
• 90840b3feaf876f01e12cab4824bfaa730c18c6a
• c53f689478e3abd254ce56a8f2113ed989913f81
• 79bffe330575dcb9d0fe746325bc42e48da397f4
• cdbb5a4ffcd22d3b875380e863bbfb67d1393af5
• d32efd8faf1ff563dc49c1ff5f337257ef2008c7
• 55316c38ef8b383a2589c7cabb150a482feaa4a8
• d14a665438385203283030a189ff6c5e7c4bf518
• abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

URL

• http://193.42.32.138/api/
• http://87.251.67.51/api/
• http://31.44.4.40/test/bat_install.bat
• https://golden-scalen.com/files/*
• http://188.227.58.243/pretencia/www.php
• http://188.227.58.243/zayavka/www.php
• http://188.227.58.243/pretencia/installet_bat_vbs.bat
• http://188.227.106.124/test/js/www.php
• http://188.227.106.124/test/js/BLD.exe
• http://188.227.106.124/test/js/1.js
• http://45.133.16.135/zayavka/www.php
• http://45.133.16.135/zayavka/666.bat
• http://45.133.16.135/zayavka/1.yay
• http://golden-scalen.com/ngg_cl.zip

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.