Javascript files loaded with RATs hits thousands of victims

Kaspersky found a new campaign, using malicious JavaScript to deploy RATs
The RATs are used to deploy two infostealers
Among the victims are people and businesses in Russia

Hackers are targeting people and businesses in Russia with malicious JavaScript, in order to install backdoors on their devices. This is according to a new report from cybersecurity researchers Kaspersky, who named the campaign “Horns&Hooves”.

As per the researchers, Horns&Hooves started in March last year, and has since infected roughly 1,000 endpoints.

The campaign starts with a phishing email, in which the attackers impersonate individuals and businesses, and send emails that mimic requests and bids from potential customers, or partners.

Actively developed campaign

The emails come with various attachments, among which is the JavaScript payload. This payload delivers two Remote Access Trojans (RAT): NetSupport RAT and BurnsRAT. In turn, these RATs are used to deploy the final payload: either Rhadamanthys, or Meduza.

These two are known infostealers. Since late 2022, Rhadamanthys is being offered on the dark web as a service, enabling crooks to steal a vast range of information from the target device, from system details, passwords, to browsing data. Rhadamanthys has specialized tools for stealing cryptocurrency credentials, with support for over 30 different wallets.

Meduza, on the other hand, is part of the growing threat landscape for personal and business cybersecurity. Like Rhadamanthys, it steals user credentials and other sensitive information, including login credentials for various services and applications. However, Meduza operates with a more focused scope, aiming to evade detection through various obfuscation and anti-analysis techniques.

Horns&Hooves is an actively developed campaign, the researchers are saying, stressing that the code was revamped and upgraded numerous times. While attribution proved difficult, there is reason to believe that TA569 is behind the attacks. This group, according to The Hacker News, is also called Mustard Tempest, or Gold Prelude) and is the one running the SocGholish malware.

The same publication also stated that TA569 was seen acting as an initial access broker for affiliates deploying the WastedLocker ransomware strain.

Via The Hacker News

T-Mobile just launched a surprise early Black Friday sale – you can already get four free iPhone 17s without a trade-in

Best Intel Powered AI laptops lead battery gains and pace daily edits without plug anxiety

Government Agencies Issue Emergency Guidance for Microsoft Exchange Server

Don't miss

T-Mobile just launched a surprise early Black Friday sale – you can already get four free iPhone 17s without a trade-in

Best Intel Powered AI laptops lead battery gains and pace daily edits without plug anxiety

Government Agencies Issue Emergency Guidance for Microsoft Exchange Server

Javascript files loaded with RATs hits thousands of victims

Related Posts

T-Mobile just launched a surprise early Black Friday sale – you can already get four free iPhone 17s without a trade-in

Best Intel Powered AI laptops lead battery gains and pace daily edits without plug anxiety

Government Agencies Issue Emergency Guidance for Microsoft Exchange Server

T-Mobile just launched a surprise early Black Friday sale – you can already get four free iPhone 17s without a trade-in

Best Intel Powered AI laptops lead battery gains and pace daily edits without plug anxiety

Government Agencies Issue Emergency Guidance for Microsoft Exchange Server