Today > 1 Critical | 2 High | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

NetSupport RAT and RMS in malicious emails

Dec. 2, 2024, 5:49 p.m.

Tags
obfuscation
phishing
rhadamanthys
russia
stealer
remote access
burnsrat
netsupport rat
meduza
2024-12-02
External References
Description

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers.

Date

Published: Dec. 2, 2024, 5:08 p.m.

Created: Dec. 2, 2024, 5:08 p.m.

Modified: Dec. 2, 2024, 5:49 p.m.

Indicators

58eb9f211ddbb5a6a3bfec345431c40ac61090241b865dbe26bbf958afc685ed

d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183

c43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16

bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1

b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c

8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e

7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc

716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561

564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c

4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900

01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3

f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

https://www.linkpicture.com/q/1_1657.png

https://golden-scalen.com/files/*

https://golden-scalen.com/files/

http://xoomep1.com:1935

http://xoomep2.com:1935

http://golden-scalen.com/ngg_cl.zip

http://45.133.16.135/zayavka/666.bat

http://45.133.16.135/zayavka/www.php

http://45.133.16.135/zayavka/1.yay

http://31.44.4.40/test/bat_install.bat

http://188.227.58.243/zayavka/www.php

http://188.227.58.243/pretencia/www.php

http://188.227.58.243/pretencia/installet_bat_vbs.bat

http://188.227.106.124/test/js/www.php

http://188.227.106.124/test/js/1.js

http://188.227.106.124/test/js/BLD.exe

xoomep2.com

xoomep1.com

labudanka2.com

gribidi2.com

golden-scalen.com

shetrn2.com

shetrn1.com

Download all indicators here!

Attack Patterns

BurnsRAT

Meduza

NetSupport RAT

Rhadamanthys

TA569

T1021.001

T1574.002

T1059.003

T1059.001

T1547.001

T1059.007

T1573

T1105

T1219

T1036

T1204

T1140

T1027

T1566

Additional Informations

Retail

Russian Federation