NetSupport RAT and RMS in malicious emails
Essential information
- Published
- 02/12/2024 17:08
- Modified
- 02/12/2024 17:49
- Tags
- 2024-12-02 burnsrat meduza netsupport rat obfuscation phishing remote access rhadamanthys russia stealer
- Related entities
- 35 observables, 1 intrusion sets (apt), 14 techniques (mitre), 4 malware, 2 others
Description
The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers.