Since November 2020, a covert campaign utilizing the ‘Horabot’ botnet malware has specifically targeted Spanish-speaking users across Latin America, infecting them with a banking trojan and spam tool, all while operating undetected.
Threat actors take control of the victim’s email accounts (Gmail, Outlook, Hotmail, or Yahoo) by exploiting the malware to steal all the essential and confidential email data.
Not only that, even threat actors also use those compromised email accounts to send phishing emails to other victims.
Cybersecurity researchers at Cisco Talos recently uncovered this new Horabot operation, revealing that the threat actor responsible for it is believed to have roots in Brazil.
However, most of the infections are located in the following countries:-
- Mexico
- Uruguay
- Brazil
- Venezuela
- Argentina
- Guatemala
- Panama
Horabot Malware Infection Flow
The infection chain commences with a multi-stage process, initiated by a phishing email with a tax-related theme, wherein the target receives an HTML attachment masquerading as a payment receipt.
Once the HTML is opened, it triggers a sequence of URL redirections, ultimately leading the victim to an HTML page. At the same time, this HTML page is hosted on an AWS instance under the threat actor’s control.
The unsuspecting victim falls into the trap after clicking laid by the threat actor, as it downloads a RAR archive carrying a CMD extension-embedded batch file.
The batch file directs the download of a PowerShell script, which retrieves a collection of authorized executables and trojan DLLs from C2.
Executing their operations precisely, these trojans connect to a separate C2 server, retrieving the final two payloads.
One of these payloads is a PowerShell downloader script, while the other is the Horabot binary.
The malicious PowerShell downloader script takes charge by launching a sequence of processes responsible for the retrieval of the payloads, and not only that even it also forcefully reboots the system of the victim as well.
Targets Login Credentials & Financial Information
Hidden within the array of DLL files extracted from the downloaded ZIP archive, the notorious “jli.dll” stealthily sideloads itself through the “kinit.exe” executable, unveiling its true identity as a Delphi-based banking trojan.
While it targets the following data:-
- System language
- Disk size
- Antivirus software
- Hostname
- OS version
- IP address
- User credentials
- Activity data
In addition, the trojan extends its reach by providing its operators with remote access functionalities, granting them the power to execute file actions, engage in keylogging activities, capture screenshots, and track mouse events.
With each application launch, the trojan executes a strategic trick, expertly overlaying a deceptive window to mislead victims into inputting sensitive data.
The attacker stealthily employs HTTP POST requests to convey all the gathered information from the victim’s computer to their command and control server, ensuring a covert and efficient data transfer.
An encrypted spam tool DLL is also included with the ZIP archive, and the tool is dubbed as “_upyqta2_J.mdat.” This tool gives the attacker ability to steal credentials from popular email platforms like:-
Operating within its designated role, Horabot emerges as a PowerShell-based botnet program specializing in Outlook phishing.
This malicious entity can increase the infection by sending phishing emails to every email address in the victim’s mailbox.
Upon completing the phishing email distribution process, all locally generated files and folders are deleted, leaving no trace.
Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security