Pierluigi Paganini June 02, 2023

A new botnet malware dubbed Horabot is targeting Spanish-speaking users in Latin America since at least November 2020.

Cisco Talos researchers were observed deploying a previously unidentified botnet, dubbed Horabot, that is targeting Spanish-speaking users in the Americas. The botnet is used to deliver a banking trojan and spam tool to the infected systems, Horabot has been active since at least November 2020.

The bot allows operators to control the victim’s Outlook mailbox, steal contacts’ email addresses, and send phishing emails with malicious HTML attachments. The banking trojan deployed as part of the campaign can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. The malware also allows bypassing 2FA by stealing one-time security codes and can steal soft tokens from the victim’s online banking applications.

The spam tool allows to compromise Gmail, Outlook, and Yahoo! webmail accounts to send out spam emails.

Most of the victims are in Mexico, limited infections were reported in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. Based on Talos analysis, the threat actors behind the campaign may be located in Brazil.

The attack chain commences with a tax-themed phishing email written in Spanish, posing as a tax receipt notification. The message is written to trick users into opening the attached malicious HTML file.

“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance.” reads the analysis published by Talos. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”

Upon opening the contents of the file, a PowerShell downloader script is executed. The script retrieves a ZIP file containing the main payloads from a remote server, then reboots the victim’s machine.

The banking Trojan and the spam tool are executed after restarting the system.

The banking trojan employed in this campaign is a 32-bit Windows DLL written in the Delphi programming language, the researchers noticed overlaps with other Brazilian Trojans like Mekotio and Casbaneiro.

“In analyzing the phishing emails used in the campaign, Talos identified that users in organizations across several business verticals — including accounting, construction and engineering, wholesale distributing and investment firms — have been affected. However, the attacker uses Horabot and the spam tool in this campaign to further propagate the attack by sending additional phishing emails to the victim’s contacts, meaning Spanish-speaking users from organizations in additional verticals are likely also affected.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)