- Kaspersky discovers a new campaign using malicious JavaScript to implement RATs
- The RATs are used to deploy two infostealers
- The victims include people and companies in Russia
Hackers are targeting people and companies in Russia with malicious JavaScript to install backdoors on their devices.
Kaspersky researchers, who dubbed the campaign “Horns&Hooves,” noted how it started in March 2023 and has since infected around 1,000 endpoints.
The campaign begins with a phishing email, in which the attackers pose as individuals and companies and send emails that mimic requests and bids from potential customers or partners.
Actively developed campaign
The emails come with various attachments, including the JavaScript payload. This payload delivers two Remote Access Trojans (RAT): NetSupport RAT and BurnsRAT. These RATs are in turn used to deploy the final charge: Rhadamanthys or Meduza.
These two are known info stealers. Since late 2022, Rhadamanthys has been offered as a service on the dark web, allowing criminals to steal a wide range of information from the target device, from system details, passwords to browsing data. Rhadamanthys has specialized tools for stealing cryptocurrency credentials, with support for over 30 different wallets.
Meduza, on the other hand, is part of the growing threat landscape for personal and corporate cybersecurity. Like Rhadamanthys, it steals user credentials and other sensitive information, including login credentials for various services and applications. However, Meduza operates with a more targeted scope, aiming to evade detection through various obfuscation and anti-analysis techniques.
Horns&Hooves is an actively developed campaign, the researchers say, highlighting that the code has been renewed and upgraded numerous times. Although attribution proved difficult, there are reasons to believe TA569 is behind the attacks. This group, according to The hacker newsalso called Mustard Tempest or Gold Prelude) and is the one that runs the SocGholish malware.
The same publication also stated that TA569 was seen as an initial entry broker for affiliates deploying the WastedLocker ransomware variant.
Via The hacker news