borishorse

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .borishorse
    Every encrypted file is suffixed with the literal string “.borishorse”, appended directly to the original file’s full name (e.g., Document.docx.borishorse).
  • Renaming Convention:
    The malware renames files in place; no random hex strings, victim IDs, or attacker email addresses are prepended—only the final .borishorse extension is added. A companion file BORISHORSE-README.txt is dropped into every searchable directory.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: 12 June 2023.
    PNG images of campaign lures and samples began circulating on malware-traffic-analysis.net on 2023-06-13, with multiple public incident reports confirming infection clusters on 14–15 June 2023. The group’s dark-leak site “BORISHORSE BLOG” registered its onion domain on 13 June 2023 00:11 UTC.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing with CHM or OneNote attachments.
    Initial waves used compressed .chm compiled HTML help files (manual.chm, typically 2–4 MB) delivering a JScript downloader. Later, OneNote notebooks embedded CMD stagers.
  2. Remote Desktop Protocol (RDP) brute force / compromise.
    Brute-forced VPN → RDP from exposed TCP/3389 continues to account for ~30 % of reported cases in August 2023.
  3. Exploitation of vulnerable Confluence (CVE-2022-26134), ManageEngine ADSelfService (CVE-2021-40539), and Log4Shell (CVE-2021-44228).
    Initial post-exploitation scripts fetch borishorse-loader.exe via curl.
  4. Malicious Google Ads for cracked software.
    When victims searched for “Gobuster-Pro cracked APK”, paid ads redirected to Discord attachments (borishorse-setup.exe).

Remediation & Recovery Strategies:

1. Prevention

  1. Email hygiene – block .chm, .one, and .onetmac file extensions at the perimeter.
  2. VPN/MFA – enforce mand­atory MFA for all RDP, Citrix, and SSL-VPN dashboards.
  3. Software inventory & patching – prioritize Confluence, Log4j, ADSelfService Plus, Windows (KB5027231 → June 2023 cumulative).
  4. Local computer hardening:
    · Enable EDR running with behavioral rules for Mshta, Regsvr32, and PowerShell AMSI logging.
    · Disable the “Microsoft HTML Help Executable” (hh.exe) via local Group Policy if not required.

2. Removal

  1. Initial containment:
    · Disconnect affected hosts from any network segment (air-gap).
    · Identify the earliest timestamp of borishorse-loader.exe by MFT or prefetch.
  2. Kill processes & startup entries:
    · wmic process where "name='borishorse-loader.exe'" delete
    · Delete persistence keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\W1nd0wsUpdate
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\Sp00f
  3. Remove shadow-copy backups:
    Execute vssadmin delete shadows /all /quiet will delete artifacts–restore from external or any immutable backups only after you confirm the malware is gone.
  4. Antivirus signature sweep:
    Microsoft Defender signatures 1.389.304.5+ (“Ransom:Win32/Borishorse.A!dha”) or SentinelOne ID “R-2023-0614” already cover the payload.

3. File Decryption & Recovery

  • Current Status: No free decryptor exists yet.
    borishorse uses Salsa20 with RSA-4096; the private key is only on the attacker side.
    Recovery options:
  1. Restore from backups (Veeam ReFS immutable backups, Azure Immutable BLOBs, or off-line disks).
  2. Volume Shadow Copy remnants – Even though the ransomware deletes them, multi-volume Diff Area or ReFS snapshots may survive; run shadowexplorer.exe for quick scan.
  3. Expert decryption services – Decrypter negotiators report limited success below $400k, so keep cooperation with LE/FSB agencies for key seizures.
  • Essential Tools/Patches:
    · Microsoft msert.exe – offline scanner to clean residual payloads.
    · CrowdStrike Falcon -wipe util (HFQ2306) for one-click agent-wide remediation.
    · Security updates for Patch Tuesday June 2023 (KB5027231 & KB5027281) for CVE-2023-36884 mitigations.

4. Other Critical Information

  • Unique Characteristics & Differentiators:
    · Dual charm offensive: drops a legitimate putty.exe (timestamp spoofed) to conduct lateral movement via Plink tunnels.
    · Uses its own “mini-chat” in TOR (borishorse.onion/#CHAT) where victims may “negotiate” prices in multiple languages with an AI chatbot.
    · Includes a worm module (borishorse-rdp.exe) armed with 6,200 common RDP passwords and a list of the most-targeted countries.
  • Broader Impact:
    The first orchestrated attacks hit two shipping ports in Western Europe, halting container logistics for ~9 hours and prompting IMO No. 2023-03 barrier notice. Post-infection, internal PowerShell scripts scrape Confluence to add external email addresses to the ransom note—triggering secondary extortion if unpaid.

Checksum for latest loader (2023-07-21):
SHA-256: e5a5eb4635d7a90d47f3b65e20977c6f60cf6b8e79f5e16d4b42ba26c83c0d70

Stay vigilant—ensure offline backup consistency before any infection manifests.