Kaspersky Lab researchers have uncovered a sophisticated phishing campaign dubbed “Horns&Hooves,” targeting both individual users and businesses in Russia since spring 2023. This operation, named after a fictional organization in Ilf and Petrov’s novel “The Golden Calf,” employs clever tactics to blend in with legitimate user and company inquiries.
Anatomy of the “Horns&Hooves” Attack
The campaign primarily relies on email messages containing malicious attachments disguised as requests from potential clients or partners. These emails typically include ZIP archives housing files with harmful scripts, most commonly in JScript. To add an air of legitimacy, the attackers often include genuine documents related to the impersonated organization or individual.
The malicious emails masquerade as various types of business communications, including:
- Purchase orders
- Price inquiries
- Reconciliation acts
- Refund requests
- Pre-trial or standard claims
Malware Payload and Infection Chain
When executed, the malicious script displays a decoy document to the victim, such as a table with a list of goods for purchase. Meanwhile, it covertly installs either NetSupport RAT or BurnsRAT on the target system. These trojans are malicious versions of legitimate remote access tools, NetSupport Manager and Remote Manipulator System, respectively.
The installation of these Remote Access Trojans (RATs) is just an intermediate step in the attack. In some cases, researchers observed attempts to deploy additional malware, including stealers like Rhadamanthys and Meduza, following the initial infection.
Potential Threat Actors and Motivations
Kaspersky researchers suspect that the threat group TA569 (also known as Mustard Tempest or Gold Prelude) may be behind these attacks. This hacking group is known for selling access to infected machines to other cybercriminals on the dark web.
The consequences for affected companies can vary widely depending on who ultimately gains access to the compromised systems. Potential outcomes include:
- Data theft
- System encryption
- Infrastructure damage
Additionally, attackers may collect documents and email addresses to fuel future attacks, perpetuating the cycle of cybercrime.
Protecting Against “Horns&Hooves” and Similar Threats
Artem Ushkov, a threat researcher at Kaspersky, emphasizes the importance of employee education in combating such attacks: “Companies regularly receive order-related requests and deal with complaints, so employees don’t always suspect deception, especially since attackers change tactics and experiment with new tools. Small and medium-sized businesses are at particular risk, as smaller enterprises don’t always have sufficient resources for protection. However, to counter such attacks, the main thing is to train employees in the basics of information security, educate them about phishing and other common threats. After all, in many cases, the success of attackers depends precisely on the human factor.”
To mitigate the risks posed by sophisticated phishing campaigns like “Horns&Hooves,” organizations should implement a multi-layered approach to cybersecurity. This includes robust email filtering systems, regular security awareness training for employees, and up-to-date endpoint protection solutions. By fostering a culture of cybersecurity awareness and maintaining vigilance, businesses can significantly reduce their vulnerability to these evolving threats.