Horns & Hooves: digital Ostap Bender robs companies across the country

[Man]

Kaspersky Lab has detected a mass mailing with malicious files.

Kaspersky Lab experts have recorded a new wave of mass mailings of emails with malicious attachments disguised as business correspondence from potential customers or partners. In this cyberattack, cybercriminals distribute Trojans designed to remotely control victims' computers. The campaign began in the spring of 2023, the targets include both private users from Russia and companies, mainly from the fields of trade and services.

Infection mechanism​

Emails contain ZIP archives that hide malicious scripts (mainly JScript files). Cybercriminals carefully disguise them as various typical requests: purchase requests, price requests, reconciliation reports, return applications, as well as pre-trial or standard claims. To increase the victim's trust, real documents corresponding to the specified organization or person on behalf of which the fraudsters act can be added to the archive. For example, letters with a request for prices may be accompanied by extracts from the Unified State Register of Legal Entities, certificates of tax registration or company cards.

When a malicious script is launched, the user is shown a so-called decoy document — a table or other document, for example, a list of goods for a proposed purchase.

Malware used​

As a result of a successful attack, one of two well-known Trojans is downloaded onto the device: the NetSupport RAT or the BurnsRAT. Both are modified versions of legitimate remote administration programs — NetSupport Manager and Remote Manipulator System.

Attackers' goals​

Installing the Trojan is only the first stage of the attack. In some cases, according to Kaspersky Lab experts, infected devices may additionally install stealers — malicious programs designed to steal confidential information (passwords, account data, etc.). In addition, experts suggest that the well-known hacking group TA569 (also known as Mustard Tempest or Gold Prelude), which sells access to infected systems on specialized shady forums, may be behind this campaign. For companies, this threatens serious consequences - from data theft to information encryption and damage to systems. Attackers can also collect documents and email addresses to continue their own attacks.

Attack Identification​

Kaspersky Lab has named the campaign Horns & Hooves, after the fictional enterprise from Ilf and Petrov's novel The Golden Calf. In the book, the organization was created by Ostap Bender in order to merge with the mass of unsuspecting employees. In the current situation, attackers use similar tactics, trying to impersonate real counterparties and disguise malicious attachments as legitimate requests.

Precautions and recommendations​

Kaspersky Lab notes that companies regularly receive requests related to orders or claims, so employees may not always suspect deception, especially when attackers change tactics and experiment with new tools. This is especially true for small and medium-sized businesses, where there are often no resources for reliable protection. In such conditions, the main role in preventing threats is played by training information security personnel.

According to experts, the human factor often becomes the key to the success or failure of such attacks. Knowing the signs of phishing and being careful with suspicious attachments are important measures that can significantly reduce the risk of infection.

Source