Horns&Hooves campaign uses ZIP files containing JScript scripts with lookalike names of customer and partner requests, containing decoy documents related to the organization, and licenses belonging to cybercriminal group TA569.
The campaign hitting over one thousand users in Russia began in March 2023, changes were made to the script, while the same distribution method was employed.
The early samples, dating back to April and May 2023, used scripts with the HTA.extension. The DOM is used to create nodes, remove nodes, or to replace one node with another.
The later versions of the campaign had JS script names like the ones calling on the browser to open or purchase request variations.
Using a label or a linked scope, the attackers were able to make the malicious code execute when the corresponding check box in the browser window is checked.
The NetSupport RAT which can infiltrate the system through scam websites and fake browser updates, disguised as technical support, is used to remotely manage and gain access to infected devices.
BurnsRAT is also utilized by the attackers and RMS is launched as a service, with information regarding the computer sent to the server post installation.
Access is gained by TA569, whose security key matched that of the installation configuration file.
The stolen documents could be used to further the malicious campaign in the future, as they may possess sensitive corporate information.
Phishing scams like the Horns&Hooves campaign often are spearheaded to gain the initial foothold, with the attackers seeking encryption or may sell access to other cybercriminal organizations.