One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601136 |
| Date de publication | 2024-10-21 17:57:04 (vue: 2024-10-21 18:12:54) |
| Titre | La newsletter Horns & HOOVES livre le rat Netsupport et Burnsrat Horns&Hooves Newsletter Delivers NetSupport RAT and BurnsRAT |
| Texte | #### Targeted Geolocations - Russia ## Snapshot In recent months, SecureList has detected a surge in phishing campaigns using malicious ZIP archives containing JScript files disguised as business requests. ## Description These emails, which began around March 2023, primarily target private users, retailers, and service companies primarily in Russia. The campaign, dubbed “Horns&Hooves,” cleverly mimics legitimate correspondence from real companies, using convincing file names like "Purchase Request" or "Request for Quotation." Attackers have modified their tactics multiple times, with early versions of the malware using HTA files and later versions transitioning to JS scripts. The malware often includes a decoy document, such as a PNG image or text file, designed to make the attack seem legitimate. The primary payload is a remote administration tool called NetSupport RAT, which allows the attackers to control infected systems remotely. A few instances from this campaign also distributed BurnsRAT. NetSupport RAT is distributed through fraudulent websites and fake updates. Once installed, the malware communicates with the attackers\' servers to download additional malicious files. Over time, the attackers have refined their techniques, embedding the malware directly into scripts to avoid detection. According to SecureList, the campaign appears to be linked to the TA569 group, tracked by Microsoft as [Mustard Tempest](https://security.microsoft.com/intel-profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9), a group known for selling access to compromised systems on the darknet. Depending on the buyer, the stolen data could lead to anything from theft to ransomware attacks. The campaign\'s evolution and the shift towards more self-contained malware delivery show a focus on evading detection and maximizing the attack\'s impact. ## Microsoft Analysis and Additional OSINT Context The actor that Microsoft tracks as [Mustard Tempest](https://security.microsoft.com/intel-profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9) is a financially motivated cybercriminal group that provides initial access to ransomware operators, such as [Manatee Tempest](https://security.microsoft.com/threatanalytics3/31b81fc3-8c9b-4439-b954-2c374a2458b3/analystreport?ocid=magicti_ta_ta2) . Mustard Tempest infects its targets through drive-by scenarios using FakeUpdates (also known as SocGholish) malware. Targets are from a wide range of industry sectors including manufacturing, information technology, critical infrastructure, consulting, finance, education, healthcare, and engineering. Opportunistically targeted geographies include, but are not limited to, the United States, Canada, Europe, and South Africa. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert vol |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2023 2024 2024** 21562b1004d5/analystreport 2c374a2458b3/analystreport 365/security/defender 4439 4b5e 5155 8c9b access accessed according action actor additional administration af74 africa against age alert alerts all allow allows also analysis antivirus any anything appears archives are around artifacts attack attacker attackers attacks authority automated avoid b954 based began behind block breach breaches burnsrat business but buyer called campaign campaigns can canada changes cleverly client cloud com/en com/intel com/microsoft com/threatanalytics3/31b81fc3 com/threatanalytics3/9382203e common communicates companies components compromised configure consulting contained containing content context control controlled convincing copyright correspondence could cover credential criterion critical customers cybercriminal darknet data decoy defend defender delivered delivering delivers delivery depending description designed detect detected detection detections/hunting detects directly disguised distributed distribution document does download drive dubbed early edr education email emails embedding enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engineering ensure equivalent europe evading even evolution evolving executable fake fakeupdates file files finance financially focus folder folders follow following fraudulent from full geographies geolocations group hardening has have healthcare hooves horns&hooves hta https://learn https://securelist https://security https://www image immediate impact include includes including industry infected infects information infrastructure initial installed instances investigation investigations its jscript kapersky known later lead learndoc learning legitimate like limited linked list local lsa lsass machine majority make malicious malware malware: manage manatee manufacturing march maximizing meet microsoft mimics mitigations mode modified months more motivated multiple mustard name=tool:androidos/multiverze name=trojan:win32/casdet names netsupport network new newsletter non not ocid=magicti often once operators opportunistically osint over overview part passive payload permission phishing png post preferences premises prevalence prevent primarily primary private product profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9 prohibited protection protection#how protections provides purchase queries quotation range ransomware rapidly rat rat/110772/ real recent recommendations recommends reduce reducing reduction reference#block references refined remediate remediation remote remotely reproduction request requests reserved resolve retailers rfn rights ru/horns rule rules run running russia scenarios scenes scripts sectors securelist security seem self selling servers service settings shift show significantly site snapshot socgholish south states stealing stolen subsystem such surface surge systems ta2 ta569 tactics take tamper target targeted targets techniques technology tempest text theft thereof these threat threats through time times tool tool:androidos/multiverze tools towards tracked tracks transitioning trojan:win32/casdet trusted turn united unknown unless updates us/defender us/wdsi/threats/malware used users using versions view=o365 volume webmail websites when which wide windows without works worldwide written xdr your zip “horns&hooves |
| Tags | Ransomware Malware Tool Threat Medical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.