More than 1,000 organizations, primarily in Russia, have been compromised with the NetSupport RAT and BurnsRAT payloads through fraudulent emails and JavaScript payloads as part of the newly uncovered Horns&Hooves malware campaign, which has been ongoing since March 2023, The Hacker News reports.
While attacks initially involved the distribution of a malicious HTML app that facilitated retrieval of a script enabling NetSupport RAT malware deployment, threat actors shifted to impersonate Next.js and other JavaScript libraries to deliver NetSupport RAT and BurnsRAT, according to an analysis from Kaspersky. Further tweaks to the Horns&Hooves malware campaign involved the utilization of an overhauled BAT file to allow NetSupport RAT compromise and direct malware integration into the JavaScript code, said Kaspersky researchers, who associated the malware campaign with the TA569 threat operation. "Depending on whose hands this access falls into, the consequences for victim companies can range from data theft to encryption and damage to systems. We also observed attempts to install stealers on some infected machines," said researcher Artem Ushkov.
